improve Content-Security-Policy handling
Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see $req->data->{cspFormAction}
).
Design proposition
Example of a better API, in Choice.pm
$req->setCSP("form-action", $url);
or when embedding an iframe:
$req->setCSP("frame-src", $url);
( see also #2513 (closed) )