Enable Content-Security-Policy by default

We want to enable this by default, but we'd have to be very careful because it could break a number of setups because:

1. In development mode, the ports will vary depending on your Webpack ports (e.g. 3808 vs 3809), Workhorse ports (e.g. 3000, 3001) etc.
2. In test mode, CI calls to execute_script may be blocked by CSP rules (see https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14975#note_200390099). Not sure how to get around this at the moment: there may be a way to disable CSP just for specific tests that need this.
3. We have to account for CDN hostnames and other external URL/ports that customers might use.

A few years ago @connorshea attempted to enable report-only CSP that we rolled back:

• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4770/diffs
• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8790/diffs

We should use some of these rules to build the list dynamically.