Allow setting CSP
CSP is a browser mechanic that informs the browser to only load assets from allowed origins.
Implementing this should weaken the effect of XSS attacks if they happen.
This should be merged after #78 (closed) (but can be worked on in parallel)