Support a more restrictive Content-Security-Policy

[linkmauve]

When CSP is enabled, Candy is unable to function properly.

The most obvious issues are the presence of the onsubmit, onchange, etc. attributes. The example.html file also ships some inline script which should be disallowed.

CSP is very important for a client like Candy since it provides an additional security against attackers embedding scripts or styles in their payloads.