Rendering of PDFs is broken due to Content Security Policy

Summary

PDFs are not rendered loaded in repository and the browser console displays the following.

VM153 pdf_viewer.573033ff6c6bc6869edb.bundle.js:7 Refused to create a worker from 'blob:https://gitlab.com/4d28b09e-9568-43e1-8b6d-c3735be1acf4' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

_initialize @ VM153 pdf_viewer.573033ff6c6bc6869edb.bundle.js:7
10:41:38.941 VM149 raven.c94699aec8e665da5599.bundle.js:1 Warning: Setting up fake worker.
10:41:39.051 VM153 pdf_viewer.573033ff6c6bc6869edb.bundle.js:7 Uncaught (in promise) TypeError: Cannot read property 'setup' of undefined
    at i.<anonymous> (VM153 pdf_viewer.573033ff6c6bc6869edb.bundle.js:7)
    at <anonymous>
10:41:39.828 sentry-infra.gitlap.com/api/3/csp-report/?sentry_key=a664fdde83424b43a991f25fa7c78987 Failed to load resource: the server responded with a status of 403 (FORBIDDEN)
10:41:47.514 Navigated to https://gitlab.com/reproduction-group/test-group/blob/master/test-document.pdf
10:41:47.875 pdf.js:2775 Refused to create a worker from 'blob:https://gitlab.com/af2cc286-a71a-4d54-9b03-3e5d4622c7c4' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

_initialize @ pdf.js:2775
i @ pdf.js:2750
i @ pdf.js:2227
load @ pdf_viewer.573033ff6c6bc6869edb.bundle.js:11935
n @ vue.esm.js:189
mounted @ index.vue:53
Re @ vue.esm.js:2868
insert @ vue.esm.js:4045
T @ vue.esm.js:5806
(anonymous) @ vue.esm.js:6025
e._update @ vue.esm.js:2613
o @ vue.esm.js:2741
ms.get @ vue.esm.js:3084
ms @ vue.esm.js:3073
$e @ vue.esm.js:2745
At.$mount @ vue.esm.js:8331
At.$mount @ vue.esm.js:10670
e._init @ vue.esm.js:4523
At @ vue.esm.js:4608
E @ index.js:8
n @ raven.js:298
10:41:47.878 console.js:26 Warning: Setting up fake worker.

Steps to reproduce

• open PDF in repository (for example https://gitlab.com/reproduction-group/test-group/blob/master/test-document.pdf)

What is the current bug behavior?

Rendering fails

What is the expected correct behavior?

Rendering works