'self' allows CSP bypasses by using files hosted on GitLab
itself. It is replaced with relative paths to the URLs we
know we're using in frames

Changelog: security