Using CSP for defense in depth

[FiloSottile]

Hey, I see you are using bleach on the HTML contents, which is awesome.

A great defense in depth measure available in all modern browsers is CSP. With a few headers we can make sure that no inline Javascript is executed even if it escaped bleach, and even if an attacker did get code execution in the page stop them from exfiltrating data by blocking external requests.

Happy to make a PR if this is something you'd be interested in merging.