Recommended content security policy

[fatchild]

Based on eval() is deprecated and unsafe #53

This ticket to to track the evolution of a new csp recommendation.

On our Wiki we have a page Apache Hardening which has content security policy recommendations, this should probably be updated from;

Header set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' www.google.com www.gstatic.com; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' www.gstatic.com; base-uri 'self'; form-action 'self'; font-src 'self'

to include Luke's changes from #53;

Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' www.google.com www.gstatic.com www.googletagmanager.com www.google-analytics.com; connect-src 'self' www.gstatic.com; img-src 'self' data: bazaar.eprints.org ssl.google-analytics.com www.googletagmanager.com; style-src 'self' 'unsafe-inline' www.gstatic.com; base-uri 'self'; form-action 'self'; font-src 'self'; object-src 'self'; frame-src 'self'; media-src 'self';"

[MrBunsy]

Also need to add media-src 'self'; to allow videos to play