Generate Content-Security-Policy headers and related
(Once #1137 (closed) is fixed).
Generate those headers:
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $FORM_ACTION; frame-ancestors 'none'; report-uri $REPORT_URI
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
With:
- $CHILD_SRC empty, except with logout iframes
- $FORM_ACTION empty, except with SAML forms
- $REPORT_URI : configurable (default empty)