Update the documented CSP options to be closer to a strict and viable policy

Author: thibaudcolas

.env.example

@@ -6,6 +6,8 @@
 
 # Careful about the quoting of directives! It is easy to break.
 # CSP_DEFAULT_SRC="'self'"
-
-# Enable this rule to allow font awesome to load from CDN
-# CSP_FONT_SRC="'self', https://cdnjs.cloudflare.com"
+# CSP_SCRIPT_SRC="'self', 'report-sample'"
+# CSP_STYLE_SRC="'self', 'report-sample'"
+# CSP_IMG_SRC="'self', blob:, i.ytimg.com, www.gravatar.com"
+# CSP_CONNECT_SRC="'self', releases.wagtail.org"
+# CSP_FRAME_SRC="'self', www.youtube.com"