Do not add ArkoseLabs URL to the CSP if global config is empty

What does this MR do and why?

When arkose_labs_signup_challenge FF is enabled, the CSP for the signup page is updated to add https://*.arkoselabs.com as an allowed origin.

In gitlab-qa!1117 (closed), it was discovered that when there is no existing CSP configuration (i.e. allow resources from anywhere like for Omnibus installations), the CSP for the signup page is incorrectly being updated to only allow resources from https://*.arkoselabs.com. This results in the page not functioning correctly (missing JS scripts).

This MR fixes that problem by skipping the CSP update on the signup page when existing CSP directives are empty to keep the behavior of allowing resources from all origins.

Screenshots or screen recordings

N/A

How to set up and validate locally

1. Disable content_security_policy in your gitlab.yml

   gitlab:
    content_security_policy:
      enabled: false  

2. Restart GDK and confirm that CSP is disabled in Rails console:

   > Settings.gitlab.content_security_policy
   => {"enabled"=>false, "report_only"=>false, "directives"=>{}

3. Enable arkose_labs_signup_challenge FF

   > Feature.enable(:arkose_labs_signup_challenge)
   => true

4. Visit signup page

5. Open developer console and validate that there are no errors that look like:

   sign_up:2568 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://*.arkoselabs.com". ...

   If you look at Content-Security-Policy response header for the page, it should look like:

   📸

   

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.