1. Proposed title of this feature request

   Possibility to set Content-Security-Policy custom header to HAProxy

2. What is the nature and description of the request?

   Customer needs to set Content-Security-Policy custom header to ingress controller

3. Why does the customer need this?

   It's a security requirement

4. How would the customer like to achieve this?

   Probably in similar way as with Strict-Transport-Security header configuration [0]: by implementing a dedicated ingress/route annotation to configure it.

   Something like:

   ~~~
   haproxy.router.openshift.io/csp_header: "default-src 'self' https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'; img-src 'self' https: data: blob:; style-src https: blob: 'unsafe-inline'; worker-src 'self' blob:; font-src 'self' https: data: blob:; child-src 'self' https: data: blob:;"
   ~~~

5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

   By making a call fetching the returned headers and make sure the Content-Security-Policy header is properly set:
   
   ~~~
   $ curl -I https://app.openshift.cluster
     
   [...]
   
   Content-Security-Policy: default-src 'self' https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'; img-src 'self' https: data: blob:; style-src https: blob: 'unsafe-inline'; worker-src 'self' blob:; font-src 'self' https: data: blob:; child-src 'self' https: data: blob;

   [...]
   ~~~

6. Is there already an existing RFE upstream or in Red Hat Bugzilla?

   No. Here [1] is a similar request

7. Is the sales team involved in this request and do they have any additional input?

   No

8. List any affected packages or components.

   OpenShift HAProxy

[0] https://docs.openshift.com/container-platform/4.11/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
[1] https://issues.redhat.com/browse/RFE-464