Update the CSP to only allow Stripe on the donation page.
Fixes #574 (closed).
This adds the CSP map so when the request is for ^~/donate_stripe
it will use the CSP where Stripe's external resources is allowed. And otherwise it will use the default one.
For the default CSP I used the original one from this commit without the Stripe script-src
and data:
from img-src
.
I don't know if this is the correct CSP or if it even works, but it's something to get started.