Middleware: Add CSP support (#29740)

* Middleware: Add support for CSP

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

Co-authored by @iOrcohen

conf/sample.ini

@@ -233,6 +233,14 @@
 # when they detect reflected cross-site scripting (XSS) attacks.
 ;x_xss_protection = true
 
+# Enable adding the Content-Security-Policy header to your requests.
+# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+;content_security_policy = false
+
+# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+# $NONCE in the template includes a random nonce.
+;content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options
@@ -301,7 +309,7 @@
 ;user_invite_max_lifetime_duration = 24h
 
 # Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
-; hidden_users = 
+; hidden_users =
 
 [auth]
 # Login cookie name