Analyze each item in our custom CSP and understand why we have them

The content security policy on GitLab.com is defined in https://gitlab.com/gitlab-com/gl-infra/chef-repo/-/blob/ece3618bf7c4c64644ceec9fc81f86a96ba1104f/roles/gprd-base.json#L517-L530

          "content_security_policy": {
            "enabled": true,
            "report_only": false,
            "directives": {
              "connect_src": "'self' https://gitlab.com https://assets.gitlab-static.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://ec2.af-south-1.amazonaws.com https://iam.amazonaws.com",
              "frame_ancestors": "'self'",
              "frame_src": "'self' https://assets.gitlab-static.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://*.codesandbox.io https://customers.gitlab.com",
              "img_src": "* data: blob:",
              "object_src": "'none'",
              "script_src": "'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com",
              "style_src": "'self' 'unsafe-inline' https://assets.gitlab-static.net",
              "worker_src": "https://assets.gitlab-static.net https://gitlab.com blob: data:"
            }
          },

Given that GitLab.com has no CSP issues, if we figure where all of those come from and modify the product to automatically adapt and add those items to the CSP when needed (for example the recaptcha script_src should only be added if recaptcha is actually used).

The objective is to weed out remaining CSP issues for self-hosted and eventually reach a point where we wouldn't need to maintain a custom CSP for SaaS and the product could simply auto-generate the correct policy.