Add missing CSP directives that do not fall back to default-src

frame-ancestors, form-action, and base-uri do not inherit from
default-src and must be explicitly defined.

- frame_ancestors 'self': prevents clickjacking via iframe embedding
- form_action 'self': restricts where forms can submit
- base_uri 'self': prevents base tag injection attacks

Note: report-to is not supported by secure_headers ~> 3.9; report-uri
is already set and remains the reporting mechanism.

CP4AIOPS-15067

Author: jrafanie

config/initializers/secure_headers.rb

@@ -27,16 +27,19 @@
       :report_only => false,
       :report_uri  => ["/dashboard/csp_report"],
 
-      :default_src => ["'self'"],
-      :child_src   => ["'self'"],
-      :connect_src => ["'self'"],
-      :font_src    => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
-      :frame_src   => ["'self'"],
-      :img_src     => ["'self'", "data:"],
-      :object_src  => ["'self'"],
-      :script_src  => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
-      :style_src   => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"],
-      :worker_src  => ["'self'"]
+      :base_uri        => ["'self'"],
+      :default_src     => ["'self'"],
+      :child_src       => ["'self'"],
+      :connect_src     => ["'self'"],
+      :font_src        => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
+      :form_action     => ["'self'"],
+      :frame_ancestors => ["'self'"],
+      :frame_src       => ["'self'"],
+      :img_src         => ["'self'", "data:"],
+      :object_src      => ["'self'"],
+      :script_src      => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
+      :style_src       => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"],
+      :worker_src      => ["'self'"]
     }
   end
 end