New Extensions policy for Content Security Policy (CSP) directives and timeline for enforcement

CSP goes in the dashboard to control what the front end code/HTML/JS/CSS can access.

CSP headers do not go in the EBS/express backend. for an extension use case

An example: