refactor(core): allow cloudflare insights origin in csp

packages/core/src/middleware/koa-security-headers.ts

@@ -78,7 +78,7 @@
     crossOriginOpenerPolicy: false, // Allow cross origin opener, as some apps rely on popup window for the sign-in flow
     // Google One Tap iframe request does not respond the proper CORP header (it uses `same-site` instead of `cross-origin`)
     // and we cannot add the `crossorigin` attribute to the iframe, so the only solution is to disable the COEP header here.
     // TODO: Re-enable COEP header when Google One Tap supports CORP header.
     crossOriginEmbedderPolicy: false,
     dnsPrefetchControl: false,
     referrerPolicy: {
@@ -105,6 +105,9 @@
           "'self'",
           "'unsafe-inline'",
           `${gsiOrigin}client`,
+          // Some of our users may use the Cloudflare Web Analytics service. We need to allow it to
+          // load its scripts.
+          'https://static.cloudflareinsights.com/',
           ...conditionalArray(!isProduction && "'unsafe-eval'"),
         ],
         connectSrc: ["'self'", gsiOrigin, tenantEndpointOrigin, ...developmentOrigins],