enable CSP

[g-k]

Enables the CSP policy added in https://github.com/mozilla-services/location-leaderboard/pull/303

If we don't have any CSP errors, since that was deployed this should be good to go.

I don't have the local environment setup, but django-csp defaults to CSP_REPORT_ONLY = False, so the header should be set properly.

[coveralls]

Coverage remained the same at 100.0% when pulling cd32802ff5e4a6a1857135109b8330254b65ebca on g-k:enable-csp into af64da38cb26a15b0e3fb395f36250363bdca345 on mozilla-services:master.

[g-k]

With #307 the only reports we've gotten since the 1.14 deploy are from a lastpass extension and Chrome < 46 on Android, because it doesn't support hash script-srcs.

So I think this OK to turn on, but we can wait for more data too.