+/**
+ * Controls Content-Security-Policy header [Experimental]
+ *
+ * @see https://www.w3.org/TR/CSP2/
+ * @since 1.32
+ * @var bool|array true to send default version, false to not send.
+ * If an array, can have parameters:
+ * 'default-src' If true or array (of additional urls) will set a default-src
+ * directive, which limits what places things can load from. If false or not
+ * set, will send a default-src directive allowing all sources.
+ * 'includeCORS' If true or not set, will include urls from
+ * $wgCrossSiteAJAXdomains as an allowed load sources.
+ * 'unsafeFallback' Add unsafe-inline as a script source, as a fallback for
+ * browsers that do not understand nonce-sources [default on].
+ * 'script-src' Array of additional places that are allowed to have JS be loaded from.
+ * 'report-uri' true to use MW api [default], false to disable, string for alternate uri
+ * @warning May cause slowness on windows due to slow random number generator.
+ */
+$wgCSPHeader = false;
+
+/**
+ * Controls Content-Security-Policy-Report-Only header
+ *
+ * @since 1.32
+ * @var bool|array Same as $wgCSPHeader
+ */
+$wgCSPReportOnlyHeader = false;
+