Set `Content-Security-Policy` tag when the `raw` option is used

stream.go

@@ -118,6 +118,7 @@ func streamOriginImage(ctx context.Context, reqID string, r *http.Request, rw ht
 		"Expires":       rw.Header().Get("Expires"),
 	})
 	setCanonical(rw, imageURL)
+	rw.Header().Set("Content-Security-Policy", "script-src 'none'")
 
 	rw.WriteHeader(res.StatusCode)