Add `base-uri` directive in the CSP of GitLab.com

Issue

Current Content security Policy is missing the base-uri directive. It could allow injection of base tags which could be used to set the base URL for all the relative (script) URLs to an attacker controlled domain.

Validation

This can be verified by anyone using Google's CSP Evaluator, and the results are below

Possible Fix

Can we set it to 'none' or 'self'?

Related links

• https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/9723
• https://ops.gitlab.net/gitlab-cookbooks/chef-repo/-/merge_requests/5041