feat: Remove local-dev Content Security Policy (#2179)

config/runtime.exs

@@ -229,21 +229,10 @@ case config_env() do
              "; "
            )
 
+  # Dev is only used for local development, so we don't need, and in
+  # fact actively do not want, a restrictive CSP
   :dev ->
-    config :dotcom,
-           :content_security_policy_definition,
-           Enum.join(
-             [
-               "default-src 'none'",
-               "img-src 'self' cdn.mbta.com #{System.get_env("CMS_API_BASE_URL", "")} *.google.com *.googleapis.com *.gstatic.com mbta-map-tiles-dev.s3.amazonaws.com data: i.ytimg.com www.googletagmanager.com",
-               "style-src 'self' 'unsafe-inline' localhost:* www.gstatic.com cdn.jsdelivr.net",
-               "script-src 'self' 'unsafe-eval' 'unsafe-inline' localhost:* www.instagram.com *.google.com www.gstatic.com www.googletagmanager.com www.google-analytics.com *.googleapis.com data.mbta.com",
-               "font-src 'self' localhost:*",
-               "connect-src 'self' localhost:* ws://localhost:* *.googleapis.com",
-               "frame-src 'self' localhost:* data.mbta.com www.youtube.com www.google.com cdn.knightlab.com livestream.com www.instagram.com"
-             ],
-             "; "
-           )
+    config :dotcom, :content_security_policy_definition, "*"
 
   :test ->
     config :dotcom, :content_security_policy_definition, ""