Add Content-Security-Policy headers

[samuelecavalleri]

Starting from the branch security-headers:

Figure out why the current Content-Security-Policy header prevents all of the assets from being loaded.

[pascalwittler]

I think one reason for the problem may be the nested but unescaped single quotes around 'self' in https://github.com/passwordcockpit/passwordcockpit/blob/security-headers/docker/php/apache/Dockerfile#L154.

[heydenb]

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

[heydenb]

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

Nevermind, I was using 1.3.4 which had the issue. That's still the version which is refered to in the sample docker-compose.yml in github.

[pascalwittler]

Could it be that the latest version is having issues with the CSP. I am running the container via docker-compose locally and the webapp gives an empty page. All js files are blocked by the CSP header.

See my comment + pull request above