Merge pull request #11371 from ivantedja/fix/optimizely-csp

fix optimizely csp for script-src

server/middlewares/csp.js

@@ -14,9 +14,9 @@ export default function csp() {
   return helmet.contentSecurityPolicy({
     directives: {
       defaultSrc: trusted.concat([
-        '*.optimizely.com',
         'https://*.cloudflare.com',
-        '*.cloudflare.com'
+        '*.cloudflare.com',
+        'https://*.optimizely.com'
       ]),
       scriptSrc: [
         "'unsafe-eval'",
@@ -33,7 +33,8 @@ export default function csp() {
         '*.twimg.com',
         'https://*.twimg.com',
         '*.youtube.com',
-        '*.ytimg.com'
+        '*.ytimg.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       styleSrc: [
         "'unsafe-inline'",
@@ -42,7 +43,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         'https://*.bootstrapcdn.com',
         '*.cloudflare.com',
-        'https://*.cloudflare.com'
+        'https://*.cloudflare.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       fontSrc: [
         '*.cloudflare.com',
@@ -50,7 +52,8 @@ export default function csp() {
         '*.bootstrapcdn.com',
         '*.googleapis.com',
         '*.gstatic.com',
-        'https://*.bootstrapcdn.com'
+        'https://*.bootstrapcdn.com',
+        'https://*.optimizely.com'
       ].concat(trusted),
       imgSrc: [
         // allow all input since we have user submitted images for