CSP bug when previewing PDF using LFS object storage without `proxy_download`

Summary

Related to #248100 (closed), when proxy_download is set to false and LFS is configured with an external object storage there will be CSP errors (when it's enabled) when previewing LFS PDF files (and possibly other file formats we offer previews for?). This is because the page issues a fetch request and the connect-src directive of the CSP doesn't allow the remote file storage URL.

But we should probably add the LFS object storage endpoint if proxy downloading is disabled.

Steps to reproduce

1. Enable the CSP (default enabled in dev and test)
2. Enable proxy_download in gitlab.yml (copy object_store: config from gdk.yml.example to gdk.yml and set consolidated_form: true, enabled: true and add proxy_download: false)

    object_store:
      backup_remote_directory: ''
      connection:
        provider: AWS
        aws_access_key_id: minio
        aws_secret_access_key: gdk-minio
        region: gdk
        endpoint: http://127.0.0.1:9000
        path_style: true
      console_port: 9002
      consolidated_form: true
      proxy_download: false
      enabled: true
      host: 127.0.0.1
      objects:
        artifacts:
          bucket: artifacts
        external_diffs:
          bucket: external-diffs
        lfs:
          bucket: lfs-objects
        uploads:
          bucket: uploads
        packages:
          bucket: packages
        dependency_proxy:
          bucket: dependency-proxy
        terraform_state:
          bucket: terraform
        pages:
          bucket: pages
      port: 9000

3. Enable LFS and push a PDF file (or import https://gitlab.com/LER0ever/pdf-preview-issue)
4. Visit the LFS PDF in the project and observe the preview failing to load (An error occurred while loading the file. Please try again later.) and CSP errors in the browser console

Example Project

What is the current bug behavior?

PDF preview doesn't work with LFS, proxy_download to false and external object storage

What is the expected correct behavior?

CSP should adapt seamlessly

Relevant logs and/or screenshots

Output of checks

Reproduced on latest GDK

Possible fixes

#248100 (comment 1115150159)

1. Fix the worker-src to allow for the pdf.js worker to load (e.g. allow <project path>/raw/:ref)
2. Fix the connect-src to allow for Projects::RawController#show to access the object storage endpoint.

#248100 (comment 1115109779)

However, the tricky part here is that we don't actually know the hostname until we generate a presigned URL.