Research desired CSP for serverless offering

[legrego]

We should audit the available CSP options against our current policy, and identify which, if any, we should consider adding/altering to the serverless offering. If these changes don't break the classic offering, then they should be applied there, too.

The output of this issue is:

• Identify the initial CSP we wish to ship with the serverless offering, with a technical design of how we will implement these changes.
• Identify the ideal CSP we wish to eventually ship with both the serverless and classic offerings. A technical design isn't required for this, but we should be able to justify why this won't be a part of the initial serverless offering.

The initial and ideal CSP may be identical, and that is fine. The purpose of this task is to understand the available options, and which of them are applicable to Kibana.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

Blocked on https://github.com/elastic/kibana/issues/153584