I took a look at the pull request.
I understand that the “just merge django-csp” approach minimizes effort. However the result doesn’t feel well integrated with Django. I left a few comments that all boil down to “this isn’t how we would have done if we’d started from a clean slate” and quickly gave up when I noticed that trend.
Thinking in terms of “we have Django, how do we best implement CSP?” — and liberally looking for API ideas or code in django-csp, since its license allows that — will yield better results than merely transplanting django-csp in django.contrib. That’s usually how Django integrates third-party code.
Best regards,