Implement CSP presets (and a more reasonable default)

[16patsle]

Currently the default is default-src: 'self', but we could probably have a choice between three different presets.

• Self: Like currently. It could probably include other domains that might get requested in a typical core WordPress installation too (if any). At least the logged in and admin backend should be more permissive.
• Typical: Should reflect a typical WordPress installation, including popular third party plugins or domains (probably stuff like Google Fonts, Google Analytics and Jetpack, which are all commonly used), and fairly permissive for the admin backend.
• Permissive: Should accept almost everything (though maybe a few common restrictions?)