CORS-RFC1918: Introduce 'treat-as-public-address' CSP directive

As defined at https://mikewest.github.io/cors-rfc1918/#csp, this CSP
directive allows a document to drop any "external request" privileges it
might have based on the IP address from which it was served. This flag
isn't used yet, but will be once we start teaching the various loaders
about the joys and sorrows of external requests.

BUG=591056

Review URL: https://codereview.chromium.org/1747263002

Cr-Commit-Position: refs/heads/master@{#378735}
5 files changed