Cache CSP header for dynamic requests

Thinking more about this, I'm pretty cautious about adding caching to authenticated requests without being able to account for all relevant context (e.g. if only some users have access to a ckeditor field on the page, the policy could alternate between needlessly permissive, or restrictive in a way that breaks functionality depending on who visited the page first).

I would also like to quantify how much caching at this level actually has an effect. The policy information for libraries is already cached, and the rest of the per-request code in CSP itself it pretty minimal.

This would also cause problems for a feature like ✨ Provides a filter to add nonce attribute to inline scripts. Needs work , and anything else which uses nonces, which need to alter the policy on every request.

One possibility might be to break up the alter event into two phases:

• Global alterations, which are not dependent on context (but with adding appropriate cache tags to the event object). This could even be preemptively generated on cache rebuild.
  The module's own config would be one instance (tagged with config:csp.settings), or the sources added by library info (tagged with library_info).
• Per-request alterations that act on things like which libraries are attached to the request, or if something on the page wants to use a nonce.
  CKEditor requires style-src 'unsafe-inline', which is only added if it's attached to the page's libraries.

Something like google_tag straddles both, because it is mostly likely present on every page, but would preferentially use a nonce - and the order of alterations when attempting to use a nonce is important ( ✨ Add helper for safely appending nonce/hash sources Fixed , ✨ Enable conditional/alternate directive values Active )

Some of what is discussed here is outlined in ✨ Allow CSP to be added by render elements Needs review