Make nginx Content-Security-Policy configurable (#1048)

* Adding the nginx head Content-Security-Policy to the Configuration file

* fixing whitespace formatting

* adding a '+' that got removed

util/Setup/Configuration.cs

@@ -72,6 +72,15 @@ namespace Bit.Setup
             "`/etc/ssl` within the container.")]
         public string SslDiffieHellmanPath { get; set; }
 
+        [Description("Nginx Header Content-Security-Policy parameter\n" +
+            "WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
+            "you become responsible for maintaining this value.")]
+        public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; style-src 'self' " +
+            "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + 
+            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
+            "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
+            "https://twofactorauth.org; object-src 'self' blob:;";
+
         [Description("Communicate with the Bitwarden push relay service (push.bitwarden.com) for mobile\n" +
             "app live sync.")]
         public bool PushNotifications { get; set; } = true;