CSP violation caused by inline event handler in WseWorkspaceSwitcherForm

Problem/Motivation

When I use the module with "Use the simplified workspace switcher in the toolbar" enabled and with security rules (Security Kit module in fact), the workspace switcher doesn't work anymore because of an error in the browser console :

Executing inline event handler violates the following Content Security Policy directive 'script-src 'self' (...) . Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. The action has been blocked.

Steps to reproduce

1. Enable WSE
2. Enable Use the simplified workspace switcher in the toolbar in Settings.
3. Install and enable Security Kit
4. Set CSP rules
5. Create a new worskpace and switch to it.
6. Click on the workspace button in the admin toolbar and click on "Live" workspace
7. Error occurs in the console.

Proposed resolution

The simplified toolbar switcher renders a
element with an inlinem onchange="this.form.submit();" attribute. Inline event handlers cannot be whitelisted via CSP hashes (per spec), and are blocked by strict CSP policies
such as those enforced by the Seckit module.

To fix it, a possible solution could be:
- Replace the inline onchange attribute with a data-wse-workspace-switcher attribute used as a JS hook.
- Attach a new JS file that submits the form through the data-wse-workspace-switcher attribute.
- Attach the new wse/simplified_toolbar_switcher library to the form.
- Declare the new library in wse.libraries.yml, pointing to the existing js/wse-simplified-toolbar-switcher.js file.