What's the secret to getting Sitefinity to return a Content-Security-Policy header containing the values configured in Settings > Advanced > Authentication > SecurityTokenService > IdentityServer > ContentSecurityPolicyOptions?
I can see in the code that it's being used to set the CspOptions of the IdentityServer3, and that those are subsequently used by the ActionFilter SecurityHeadersAttribute (with an EnableCsp property, defaulting to true), and that that attribute has been given to a handful of IdentityServer3.Core.EndPoints controllers. However, the SecurityHeadersAttribute is internal and so can't be registered globally in custom site-wide initialization logic.
So, how does one take advantage of it, short of writing an ActionFilter that repeats what SecurityHeadersAttribute does, which amounts to calling GetOwinContext on HttpActionExecutedContext and then retrieving the IdentityServerOptions and building a Content-Security-Policy header of our own?
Thanks in advance.