Investigate and use Content Security Policy on all internal pages
Epiphany uses custom pages with HTML and JavaScript for various features. This always leads to potential for unsafe scripts being injected so we should use CSP when it is possible to do so.
Firstly we need to get a list of all pages where this might be applicable.
Creating policies for many of them could be as simple as default-src 'self'
. More advanced cases might require us generating hashes for specific scripts.
Where we control the HTML it could be set with <meta http-equiv="Content-Security-Policy" content="...">
. Ideally we set it via headers if possible with webkit's api.