fix(csp): upgrade UI and fix zap failure (#1372)

The zap scanner started to check the csp header, which is causing a warning.

We also need to ignore the rule, as both settings are read by the scanner.

Per https://w3c.github.io/webappsec-csp/#example-7bb4ce67 we can have multiple
Content-Security-Policy headers, and the most restrictive policies apply.
This rule doesn't seem to be applied by zap.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

pkg/extensions/extension_ui.go

@@ -7,6 +7,7 @@ import (
 	"embed"
 	"io/fs"
 	"net/http"
+	"strings"
 
 	"github.com/gorilla/mux"
 
@@ -40,6 +41,18 @@ func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
 
+		cspDirectives := []string{
+			"default-src 'none'",
+			"script-src 'self' 'unsafe-inline'",
+			"style-src 'self' 'unsafe-inline'",
+			"font-src 'self'",
+			"connect-src 'self'",
+			"img-src 'self'",
+			"manifest-src 'self'",
+			"base-uri 'self'",
+		}
+		w.Header().Set("Content-Security-Policy", strings.Join(cspDirectives, "; "))
+
 		h.ServeHTTP(w, r)
 	}
 }