Configuration for manual policy additions

Maybe there should be toggle options for the static properties (e.g. 'unsafe-inline'), and a separate input for domains so that each domain can be validated and warnings can be placed on the appropriate toggle items.

Report-URI has a CSP builder that uses a vertical-tabs like interface (https://report-uri.com/home/generate/)

I've started to build out this, but it makes for a very long page if many directives are defined:

New iteration with the list of directives for each of the enforced and report only policies in a separate vertical tab.

Some smaller changes that you can see:
- A master checkbox to enable each of the enforced and report-only policies. The module won't do anything if both are disabled, so I'm pondering forcing at least one to be enabled when submitting the form.
- If automated values are provided for a directive (by default script-src and style-src), it must be enabled in configuration (the checkbox is checked and disabled). This forces setting a base value (by default 'self'), otherwise a directive could be enabled by an automated value and unexpectedly block resources. For example if a module were to provide a domain for connect-src but it's not configured, any http requests to the Drupal site would get reported or blocked (e.g. autocomplete, form AJAX...)

A lot of work behind the scenes:
- Updated the configuration schema and default configuration
- Update hook to modify the config for existing sites to the new defaults.
- Saving the form actually updates configuration
- The configuration affects the generated policies
- Policy class supports boolean directives ('block-all-mixed-content', 'upgrade-insecure-requests')

Since it's now actually functional, I'll attach a patch.

The configuration yml will look like this:

report:
  handler: csp-module
report-only:
  enable: true
  directives:
    script-src:
      base: 'self'
      flags:
        - 'unsafe-inline'
      sources:
        - 'test.example.com'
    style-src:
      base: 'self'
enforce:
  enable: false

Most directives use the same 'source-list' format as script-src and style-src, but a few directives are boolean values, or an array of keys:

    block-all-mixed-content: true
    plugin-types:
      - application/x-shockwave-flash

Add tests to the patch. Interdiff also shows an extra change that snuck into the previous patch.

Will open some follow up issues for a few remaining items, but I think this is sufficiently functional to put into a new release.