Background:

This header specifies from which sites resources can be downloaded (https://en.wikipedia.org/wiki/Content_Security_Policy).

This might for example help with some kind of injection attacks where some malicious JavaScript code is downloaded from an external site because of some formatting/escape problems.

There is a special report only option, which might be helpful to identify which external stuff we unknowingly depend on.

Content-Security-Policy-Report-Only: policy

Requirements:
When I open any user-agent URI
Then I get the Content-Security-Policy header as well as the Content-Security-Policy-Report-Only header

The same was implemented on #304

No more dispatcher means this issue doesn't make sense anymore right? Can we close it?