Adds a default CSP that is less restrictive than the one set by backends. Browsers should prefer the HTTP header if set, but will fall back on this if it isn't set.