A few tweaks to our report-only CSP header

[yob]

Our CSP is in report-only mode, but we'd like to get it closer to being enforcable. As a step in that direction I've opened a few pages in production, audited the most common CSP warnings in the browser console, and this should resolve them. These are all expected tools, our policy has just bitrotted, or the vendor has changed their resources.

1. object_src: we can't include none alongside an actual value
2. connect_src: we load GA v4 from www.googletagmanager.com, but it wants to submit data to https://www.google-analytics.com
3. connect_src: helpscout beacon wants tosend data to a cloudfront distribution

CSP docs for Helpscout beacon (mentions the cloudfront domain): https://docs.helpscout.com/article/815-csp-settings-for-beacon

CSP docs for datadog real user monitoring: https://docs.datadoghq.com/integrations/content_security_policy_logs/

I also added some comments as context for future travelers.

[buildkite-docs-bot]

Preview URL: https://2955--bk-docs-preview.netlify.app