Content-Security-Policy for URLs

[notriddle]

https://github.com/notriddle/ammonia/issues/57#issuecomment-332423056

Just to be clear:

• The UrlRelative setting is just for resolving URLs. It is not an all-encompassing filter; it does nothing to absolute URLs.
• Some people want the ability to filter all allowed URLs. And it seems sensible to just implement the same Content-Security-Policy language that browsers already implement, especially since it means the same definition can be shared between both.

[notriddle]

Before I can decide if this needs to go in at 1.0 or if it should be delayed until after 1.0 is released, we need to answer the question of whether there should be a Content-Security-Policy by default.

I think the answer's no, since the default setting blocks all CSS and JavaScript, while CSP is a way to restrict where CSS and JavaScript come from (as well as images, multimedia, objects, fonts, and a few other things that can usually be safely loaded from anywhere anyway).

[notriddle]

https://github.com/notriddle/rust-content-security-policy/

Unless somebody knows of a Content-Security-Policy parser. I couldn't find one after a brief search of Crates.IO.