improve Content-Security-Policy handling

The way CSP currently works could be improved. Currently all the work is done in sendHtml()

Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options

We should instead let each module/LLNG feature handle its own CSP (see $req->data->{cspFormAction}).

Example of a better API, in Choice.pm

$req->setCSP("form-action", $url);

or when embedding an iframe:

$req->setCSP("frame-src", $url);