Draft: Add content security policy
Initially, we can set up an unenforced report-only policy, so that we see if there are any false positives without breaking the website.
Related to #735 (we can close it after the policy is enforced)
Edited by Martin Mladenov