Manual:$wgCSPHeader

Manual:$wgCSPReportOnlyHeader

Manual:$wgCrossSiteAJAXdomains

https://phabricator.wikimedia.org/T135963

https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy