[Idea] Add Content-Security-Policy (CSP header) for core and modules

[jf-viguier]

The problem

It's more and more important to find a native way to protect front and back from XSS attacks.

Discussions here :
#12970
#20229

The solution

• For the core, a default CSP config should be provided
• For the modules, a way to declare their externals domains used by the module (for assets : js / css / images and XHR)
• In the back office : a settings page that allow to manage all policies and to block or report only.

There is a module here by @nenes25 https://www.h-hennes.fr/blog/2022/07/27/prestashop-ameliorer-la-securite-de-votre-site-avec-les-csp/

Alternatives

No response

Additional context

No response

Do you plan to work on this subject?

• I'm willing to contribute a formal specification.
• I'm willing to provide any wireframes or design assets required for this feature.
• I'm willing to submit a Pull Request that implements this feature.
• I'm willing to help verify that the implemented feature works as intended and produces no unintended side effects.

[atomiix]

There's also this issue about it: #29260