Allow adding/removing of existing Content-Security-Policy and Permissions-Policy directives

[agrobbin]

Motivation / Background

Previously, if you wanted to add/remove directives from either header, you had to redefine the defaults in the controller.

Rails.application.configure do
  config.content_security_policy do |policy|
    policy.default_src :none

    policy.script_src :self, 'a.com', 'b.com'
  end
end

class FooController < ApplicationController
  content_security_policy do |policy|
    policy.script_src :self, 'a.com', 'b.com', 'c.com'
  end
end

Detail

Now, you can adjust the policy directives without overwriting the global configuration.

Rails.application.configure do
  config.content_security_policy do |policy|
    policy.default_src :none

    policy.script_src :self, 'a.com', 'b.com'
  end
end

class FooController < ApplicationController
  content_security_policy do |policy|
    policy.add_script_src 'c.com'
  end
end

Checklist

Before submitting the PR make sure the following are checked:

• This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs.
• Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
• Tests are added or updated if you fix a bug or add a feature.
• CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

[agrobbin]

If/when someone from the Core team has a few minutes, it'd be great to get a review! I'd love to get something like this into Rails.