Create rule S7039: Content Security Policies should be restrictive (NET-24) (#4188)

rules/S7039/csharp/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S7039/csharp/rule.adoc

@@ -0,0 +1,43 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+using System.Web;
+
+public async Task InvokeAsync(HttpContext context)
+{
+    context.Response.Headers.ContentSecurityPolicy = "script-src 'self' 'unsafe-inline';"; // Noncompliant
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+using System.Web;
+
+public async Task InvokeAsync(HttpContext context)
+{
+    context.Response.Headers.ContentSecurityPolicy = "script-src 'self' 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';";
+}
+----
+
+=== How does this work?
+
+include::../common/fix/least_privilege.adoc[]
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+include::../common/resources/standards.adoc[]