Update CSP directives to work with Google Analytics 4 in SaaS

What does this MR do and why?

This MR will resolve gitlab-com/marketing/digital-experience/buyer-experience#1046 (closed). We are updating SaaS to Google Analytics 4, which requires some changes to the content security policy to work.

This MR adds a Google Analytics CSP module, much like we did for the Bizible script, along with a feature spec for it, and includes it alongside all the existing OneTrustCSP include statements, since those are all the places we will need GA for now. I also had to update some feature specs that were expecting a specific CSP to be in place, so I updated with these new values.

How to set up and validate locally

1. Set GITLAB_SIMULATE_SAAS=1 in your environment to make GDK act as SaaS, since this change only affects SaaS.
2. Create a Google Tag Manager account and container ID. You should just need to follow the step 1 of the instructions. The GTM container can be empty - it just needs to exist.
3. In gitlab.yml, add a your GTM ID in the extra block for both the google_tag_manager_id and google_tag_manager_nonce_id values. Make sure to restart GDK (or do this step prior to starting GDK) for settings to take effect.

   extra:
    google_tag_manager_id: 'GTM-YOURIDHERE'
    google_tag_manager_nonce_id: 'GTM-YOURIDHERE'

4. Start or restart your GDK
5. Visit localhost:3000/users/sign_up
6. Use the network tab or a tool like CSP evaluator to check the CSP for the page and verify that the GA4 policies are in place. This is what I see locally, which contains the required values.

CSP from localhost:3000/users/sign_in

base-uri 'self';
child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://127.0.0.1:3000/rails/letter_opener/ http://127.0.0.1:3000/admin/ http://127.0.0.1:3000/assets/ http://127.0.0.1:3000/-/speedscope/index.html http://127.0.0.1:3000/-/sandbox/mermaid blob: data:;
connect-src 'self' http://127.0.0.1:3808 ws://127.0.0.1:3808 ws://127.0.0.1:3000 https://cdn.cookielaw.org https://*.onetrust.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com;
default-src 'self';
font-src 'self';
form-action 'self' https: http:;
frame-ancestors 'self';
frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://127.0.0.1:3000/rails/letter_opener/ http://127.0.0.1:3000/admin/ http://127.0.0.1:3000/assets/ http://127.0.0.1:3000/-/speedscope/index.html http://127.0.0.1:3000/-/sandbox/mermaid;
img-src 'self' data: blob: http: https: *.google-analytics.com *.googletagmanager.com;
manifest-src 'self';
media-src 'self' data:;
object-src 'none';
script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://*.onetrust.com https://cdn.bizible.com/scripts/bizible.js *.googletagmanager.com 'nonce-5VWjOe7VkiB4l1bDmGcltA==';
style-src 'self' 'unsafe-inline';
worker-src http://127.0.0.1:3000/assets/ blob: data:;

Required CSP for GA4

script-src:  *.googletagmanager.com
img-src:     *.google-analytics.com *.googletagmanager.com
connect-src: *.google-analytics.com *.analytics.google.com *.googletagmanager.com

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.