Set CSP in development env

[eloquence]

Since the dev env is intended to support fast changes to the web experience, it should set the same Content-Security-Policy as the production server, as you're likely to otherwise experience bad surprises e.g. when attempting to use inline styles. (It may be desirable to set other headers along the way, but this one is among the most likely to actually cause unexpected breakage.)

[zenmonkeykstop]

Currently set in Apache, so you might need special dev-only code to set this in the application, which may or may not be worth it considering the staging environment does use Apache.