EB should set (strict) CSP headers on user-facing pages

[baszoetekouw]

See:

• WAYF pagina needs unsafe-inline CSP because of embedded json/js #1331
• Metadata page requires style-src hash in CSP #1332

The best solution would be to let EB set the CSP header instead of relying on webserver logic to insert the header ont eh correct pages.

Concretely, we would like this CSP:

content-security-policy: default-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' https://static.openconex.org http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'

to be automatically included on all template-based pages, including (at least):

• WAYF
• consent
• error screens
• service request
• metadata home screen

It should not be included on any pages producing XML (including SAML metadata, requests and assertions).