config: block browser external connections during system tests

During system tests, we don't want the headless browser to load
external resources:

- It is faster (we don't wait for external resources to be loaded)
- It avoids leaking our test setup to external service

Fixes #6982

config/environments/test.rb

@@ -66,8 +66,8 @@ Rails.application.configure do
     protocol: :http
   }
 
-  # Use Content-Security-Policy-Report-Only headers
-  config.content_security_policy_report_only = true
+  # Disallow all connections to external domains during tests
+  config.content_security_policy_report_only = false
 
   config.active_job.queue_adapter = :test
   config.active_storage.service = :test

config/initializers/content_security_policy.rb

@@ -41,11 +41,22 @@ Rails.application.config.content_security_policy do |policy|
   policy.default_src(:self, :data, :blob, :report_sample, *default_whitelist)
 
   if Rails.env.development?
+    # Allow LiveReload requests
+    policy.connect_src(*policy.connect_src, "ws://localhost:3035", "http://localhost:3035")
+
     # CSP are not enforced in development (see content_security_policy_report_only in development.rb)
     # However we notify a random local URL, to see breakage in the DevTools when adding a new external resource.
     policy.report_uri "http://#{ENV.fetch('APP_HOST')}/csp/"
-    # Allow LiveReload requests
-    policy.connect_src(*policy.connect_src, "ws://localhost:3035", "http://localhost:3035")
+
+  elsif Rails.env.test?
+    # Disallow all connections to external domains during tests
+    policy.img_src(:self, :data, :blob)
+    policy.script_src(:self, :unsafe_eval, :unsafe_inline, :blob)
+    policy.style_src(:self)
+    policy.connect_src(:self)
+    policy.frame_src(:self)
+    policy.default_src(:self, :data, :blob)
+
   else
     policy.report_uri CSP_REPORT_URI if CSP_REPORT_URI.present?
   end