From my understanding only TemplateResponses should require a CSP to be set.
Any other responses could be delivered with none.

In this case we should also add an event for apps, to call \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy() instead of having apps like Talk always do this.

In case of Talk we load the config, need to check all turn/stun/signaling servers etc and add them to the CSP. This could all be saved if the CSP is useless anyway.

cc @rullzer