Secure hosting of raw files

[btrask]

Raw files may be malicious to either the user or the repo. In order to protect everyone concerned, we should consider:

• Content-Security-Policy header
• Sandboxing in iframes (worst option but might be the most widely supported?)
• Sub-origins
• Hosting raw files on a separate origin (for loopback, use a different loopback IP... but there are still cases that doesn't cover)

The same-origin policy is such a fluster-cluck.

It might also be a good idea to serve the main page with CSP to block inline scripts. On the other hand I'm not sure how I feel about defense in depth, if we're just going to exploits more annoying for researchers rather than any more difficult.