Address code execution escalation concerns

[weizman]

Come to think about it, using a CSP header for this feature can potentially introduce security concerns worth reflecting - this PR summarizes important thoughts around it

[weizman]

@yoavweiss I think I'm leaning towards option#2 (meta tag) which is a great sweet spot in the middle between a header and a JS API, because:

1. It's a better version of the header, because it is more unlikely to inject tags, and even more so to inject them high enough in the initial HTML so that they bypass the RIC dictation of the web app itself
2. It's a better version of the header, because it's less of an escalation - if attackers can inject HTML, they might as well inject a script or an iframe
3. It's a better version of the JS API, because it deviates significantly less from the original proposal

That being said, when comparing option#3 to the serviceWorker API, it makes a lot of sense, as the 2 are much alike in terms of power and SOP sensitivity

All in all, a lot to ponder, but what's becoming more clear to me is that option#1 (current proposal's state) is probably the worst one...

Would love to hear your thoughts

[weizman]

This is an open issue. Continue discussion at #16