Added Content-Security-Policy (#1400)

As per suggested in #1104 , I added a middleware that adds the http header.

controllers/middlewares/middlewares.go

@@ -60,3 +60,11 @@ func ScopesRequired(scopes ...string) gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// CSP set Content Security Policy http header
+func CSP() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; script-src 'self'")
+		c.Next()
+	}
+}

controllers/middlewares/router.go

@@ -3,5 +3,5 @@ package middlewares
 import "github.com/NyaaPantsu/nyaa/controllers/router"
 
 func init() {
-	router.Get().Use(ErrorMiddleware())
+	router.Get().Use(CSP(), ErrorMiddleware())
 }