Add EXTRA_MEDIA_HOSTS environment variable to add extra hosts to Content-Security-Policy (#34184)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

.env.production.sample

@@ -79,6 +79,9 @@ AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 S3_ALIAS_HOST=files.example.com
 
+# Optional list of hosts that are allowed to serve media for your instance
+# EXTRA_MEDIA_HOSTS=https://data.example1.com,https://data.example2.com
+
 # IP and session retention
 # -----------------------
 # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml

app/lib/content_security_policy.rb

@@ -10,7 +10,7 @@ class ContentSecurityPolicy
   end
 
   def media_hosts
-    [assets_host, cdn_host_value, paperclip_root_url].compact
+    [assets_host, cdn_host_value, paperclip_root_url].concat(extra_media_hosts).compact
   end
 
   def sso_host
@@ -31,6 +31,10 @@ class ContentSecurityPolicy
 
   private
 
+  def extra_media_hosts
+    ENV.fetch('EXTRA_MEDIA_HOSTS', '').split(/(?:\s*,\s*|\s+)/)
+  end
+
   def url_from_configured_asset_host
     Rails.configuration.action_controller.asset_host
   end