Add Content Security Policy headers

This looks like a reasonable default policy:

  X-Content-Security-Policy: "allow 'self'; options inline-script; img-src 'self' http://cdn.libravatar.org https://seccdn.libravatar.org data:"

(see https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives for the details)

However, these pages need exceptions:

- tools/check: needs to allow any third-party images
- account/import_photo: needs to allow Gravatar and Identi.ca images

Ideally, it would be nice to have Apache add a default CSP header if there isn't one already in the response (i.e. Django hasn't returned one).

That way, we could override the default value of that header within Django by doing this:

  response = render_to_response('tools/check.html', {'form': form, 'data' : data}, context_instance=RequestContext(request))
  response['X-Content-Security-Policy'] = 'something else'
  return response

The problem however is that Apache mod_headers doesn't have an action that adds a header only if it didn't exist already:

  https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

and we can't use the 'merge' or 'add' actions because they use commas as separators whereas CSP requires semicolons :(

http://feeding.cloud.geek.nz/2011/09/adding-x-content-security-policy.html