[Bug]: [Objects] External video preview image (YouTube) blocked due to CSP

[podarcis]

Pimcore version

11.2.2

Steps to reproduce

1. Have data field of type video.
2. Choose external video (e.g. YouTube) and paste its YT-code.
3. Preview image is blocked by the browser due to CSP.

Refused to frame 'https://www.youtube-nocookie.com/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".

Actual Behavior

Preview image is blocked due to CSP and thus not shown.

Expected Behavior

As configuring YouTube in video field is a core functionality it should not require project specific configuring such as:

pimcore_admin:
    admin_csp_header:
        additional_urls:
            frame-src:
                - 'https://www.youtube-nocookie.com/'

Instead these external video services should be allowed by default in ContentSecurityPolicyHandler.

[podarcis]

I'd do a PR in pimcore/admin-ui-classic-bundle, when you confirm/label this issue (which you might also want to transfer to pimcore/admin-ui-classic-bundle).

[github-actions]

Thanks a lot for reporting the issue. We did not consider the issue as "Pimcore:Priority", "Pimcore:ToDo" or "Pimcore:Backlog", so we're not going to work on that anytime soon. Please create a pull request to fix the issue if this is a bug report. We'll then review it as quickly as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request. We'll then decide whether we'd accept it or not. Thanks for your understanding.

[AlternateIf]

can confirm this

[AlternateIf]

            - 'https://www.dailymotion.com/'
            - 'https://player.vimeo.com/'

should also be included

[fashxp]

PR would be great. Thx