6006491ab4
Default to a very narrow policy since there are no CDNs or third-party resources to contend with. Configurable via: - config.x.content_security_policy.* for fizzy-saas gem overrides - DISABLE_CSP to skip entirely - CSP_REPORT_ONLY to enable report-only mode - CSP_REPORT_URI for violation reporting