This commit implements the recommended Content Security Policy (CSP) for
SpeedCurve RUM (a.k.a. Lux.js) as per their documentation. We however
have not implemented their script source because we use a self hosted
version of RUM [2].
This adds connect_src as a mechanism to communicate with RUM, this is
needed because the previous method we used to record metrics, LUX.becaonMode,
has been removed from Speedcurve RUM as of version 300 [3] which used
images, whereas version 300 uses JS to send HTTP requests.
I'm not sure if there remains to be any value having an img_src entry
for lux.speedcurve.com as I'm not sure it is used beyond LUX.beaconMode,
however it is still referenced in their recommended CSP [1].
The motivation for making this change is that we are seeing intermittent
errors on the Smokey test suite, which presumably are occurring whenever
RUM gets used. Example error:
```
https://www.integration.publishing.service.gov.uk/?smokey_cachebust=0.40911524769922525 - [Report Only] Refused to connect to 'https://lux.speedcurve.com/lux/?v=300&id=47044334&sid=164914853971764200&uid=164914853971764200&l=Welcome%20to%20GOV.UK&NT=1649148539305fs0ds0de0cs0ce0qs1bs5be15ol11oi198os198oe213oc215ls215le215sr165fc165&LJS=&PS=ns7bs0is1051ss4bc2ic0ia0it3dd9nd567vh600vw785dh4717dw785ds11601ct4G_er0nt0dm4&CPU=s|0,n|0,d|0,x|0,i|165&fl=80&HN=www.integration.publishing.service.gov.uk&PN=%2F' because it violates the following Content Security Policy directive: "connect-src 'self' *.publishing.service.gov.uk *.integration.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.tax.service.gov.uk hmrc-uk.digital.nuance.com hmpowebchat.klick2contact.com omni.eckoh.uk www.signin.service.gov.uk".
```
[1]: https://support.speedcurve.com/docs/add-rum-to-your-csp
[2]: https://github.com/alphagov/govuk_publishing_components/blob/3674bf941cacbe97161f29ed63a349467d720eb2/docs/real-user-metrics.md
[3]: https://support.speedcurve.com/changelog/rum-update-luxjs-v300
Co-authored by: Kevin Dew <kevin.dew@digital.cabinet-office.gov.uk>