Content Security Policy
|Reported by:||Matt Molyneaux||Owned by:|
CSP (Content Security Policy) is notably missing from MediaGoblin.
This will add an additional layer of security should a user be able to bypass comment sanitisation (or the blogging plugin) and add some hostile JS to their content.
At the very least, we should use this to limit JS to the host static assets are on.
Will be kinda tricky to implement in such a way that it won't cause issues when deploying - especially for novice users.