feat: add security headers

[ilayda-cp]

Done

Added security headers.

• Content-Security-Policy: Restrict resources (e.g., JavaScript, CSS, Images) and URLs
• Referrer-Policy: Limit referrer data for security while preserving full referrer for same-origin requests
• Cross-Origin-Embedder-Policy: allows embedding cross-origin resources
• Cross-Origin-Opener-Policy: enable the page to open pop-ups while maintaining same-origin policy
• Cross-Origin-Resource-Policy: allowing cross-origin requests to access the resource
• X-Permitted-Cross-Domain-Policies: disallows cross-domain access to
  resources

Read more from here.

QA

• Open : https://ubuntu-com-14411.demos.haus/
• Verify no security header error is shown in the console.
• Verify all the images, videos, iframes and other resources are shown correctly
• Verify there is no behavior change (such as a link doesnt open)
• Open header analyzer
• Verify Referrer-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy and X-Permitted-Cross-Domain-Policies headers arent missing

Issue / Card

Fixes #14446, #14447, #14448, #14449, #14450, #14451, #14452

[webteam-app]

Demo

Jenkins

demos.haus

[anthonydillon]

I get on the homepage:

Refused to connect to 'https://region1.google-analytics.com/g/collect?v=2&tid=G-5LTL1CNEJM&gtm=45je4a90v882794756z871014405za200zb71014405&_p=1728640748304&gcs=G100&gcd=13p3p3p3p5l1&npa=1&dma_cps=-&dma=0&tag_exp=101671035~101686685&cid=258964618.1728640750&ul=en-gb&sr=2560x1440&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B129.0.6668.70%7CNot%253DA%253FBrand%3B8.0.0.0%7CChromium%3B129.0.6668.70&uamb=0&uam=&uap=Linux&uapv=5.15.0&uaw=0&are=1&frm=0&pscdl=denied&_s=1&sid=1728640749&sct=1&seg=0&dl=https%3A%2F%2Fubuntu-com-14411.demos.haus%2F&dt=Enterprise%20Open%20Source%20and%20Linux%20%7C%20Ubuntu&en=impression&_fv=1&_nsi=1&_ss=1&ep.type=takeover&ep.impression_from=https%3A%2F%2Fubuntu-com-14411.demos.haus%2F&ep.impression_to=https%3A%2F%2Fubuntu.com%2Fblog%2Fcanonical-releases-ubuntu-24-10-oracular-oriole%3Futm_campaign%3Dtakeover&ep.impression_cta=read%20the%20press%20release&tfd=1938' because it violates the following Content Security Policy directive: "connect-src 'self' 

[ilayda-cp]

@anthonydillon fixed it could you try again?

[anthonydillon]

I still get a Reused connection to https://region1.google-analytics.com. Do you need to wildcard the subdomain?

[anthonydillon]

Also we need vimeo on this page: https://ubuntu-com-14411.demos.haus/16-04/azure

[anthonydillon]

@usamabinnadeem-10 and @abhigyanghosh30 could you check creds and pro store on this demo please

[abhigyanghosh30]

In the checkout, the captcha seems to be broken

[ilayda-cp]

@abhigyanghosh30 can you describe how you get that page?

[abhigyanghosh30]

@abhigyanghosh30 can you describe how you get that page?

So to recreate the issue

• Visit https://ubuntu-com-14411.demos.haus/pro/subscribe
• Select any product combination and click on the buy button at the bottom

It will take you to /account/checkout which is where the error occurs

[ilayda-cp]

@anthonydillon i ve already added it as a wild card. but i cant get the error. could you verify the error is still relevant with "connect-src" or some other CSP attribute?

[ilayda-cp]

Also we need vimeo on this page: https://ubuntu-com-14411.demos.haus/16-04/azure

@anthonydillon it might not related with the security headers beaceuse:

• vimeo has already added to the frame-src
• no blocked content warning is shown in the console or the network tab
• i checked out to the main branch still have the same error

could you verify if its working for you locally on main?

[ilayda-cp]

Fixed the captcha

[anthonydillon]

@abhigyanghosh30 @usamabinnadeem-10 could you give this branch another review in regards to CUE and Pro, please?

[ilayda-cp]

Can somebody review this?

[abhigyanghosh30]

@abhigyanghosh30 @usamabinnadeem-10 could you give this branch another review in regards to CUE and Pro, please?

The Pro and CUE shop work now.