Improve handling of sources from libraries

Problem/Motivation

CSP parses library definitions in order to populate script-src and style-src, and creates a single default set that's applied to all responses. This is a benefit to site builders who are more likely to be able to enable the module and gain improved protection from default configuration with lower risk of blocking expected behaviour. CSP may also allow sources for additional directives to be added to library definitions in the future (e.g font-src for CSS libraries that load remote fonts).

There are a few issues with some cases though:

• A module may define optional libraries that are not used on a site unless enabled through configuration. In some cases, this may allow a third-party domain that isn't used. ✨ Make auto sources configurable RTBC
• Third-party domains may be allowed on admin-only pages where the scripts are not used and may not want to be allowed.
• CDN domains allow any script/style they host, which can allow other undesired scripts, or older (possibly insecure) versions of desired scripts

Proposed resolution

Some or all features:

• Allow disabling all auto sources for a directive - a user would then manage the directive manually
• Allow disabling sources from particular libraries
• Allow setting a default allow/deny policy for libraries, which individual libraries could override. Unconfigured libraries (e.g. from newly installed modules) could then show an error on the site's status page.
• Add sources from libraries per-request, instead of per-site
• Allow configuring libraries to add domain+path to directives

Implementing the additional configuration options in a new object (csp.libraries?) would keep the main csp.config object cleaner.

Remaining tasks

User interface changes

- A new tab in the CSP configuration
- The auto-sources sections on the main config changed from a disabled textarea to just text with a note/link to the other configuration tab?

API changes

- A new configuration object

Data model changes