Middleware and TagHelpers for CSP support in ASP.NET

[aaronshim]

Hello ASP.NET Devs!

This PR adds Content Security Policy support for ASP.NET as a middleware. A very popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

• Allow configuration of whether CSP enabled in reporting or enforcement modes.
• Allows configuration of a report URI, for violation reports sent by the browser.
• CSP middleware generates a nonce-based, strict-dynamic policy.
• Middleware adds thepolicy to HTTP responses according to the configuration.
• Custom <script> TagHelper to set nonce attribute on script blocks automatically.
• Provides a default implementation of a CSP violation report collection endpoint.
• Example app that uses our CSP middleware and corresponding basic unit tests.

With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses #6001 (in this specific format)

Co-authored-by: Santiago Diaz - salchoman@gmail.com

[dnfadmin]

Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

❌ aaronshim sign now
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Tratcher]

Should this be closed in favor of aspnet/AspLabs#298?