To summarize why we cannot fix CSP in RHEL 8 globally:

Setting CSP to "script-src 'self'", as asked, is not possible with the RHEL 8 pcs web UI for two reasons.
1) Such setting prevents inline scripts to be executed. To fix this, we would need to move all inline scripts to an external .js file.
2) Such setting prevents rendering handlebars templates. They are compiled on-the-fly and the compilation depends on calling "Function()", which is blocked by CSP. The only way to resolve this is to move to precompiled handlebars templates, which would require significant time and resources.

We've been working on a completely new web UI, to fix this and other issues, for a few years. The new web UI is released in RHEL 9 pcs packages as the only web UI. In RHEL 8, it is released as a tech preview alongside the old one.



Regarding the specific issue reported in this BZ:
It is possible to fix this in RHEL 8. RHEL 9 is also affected, I'm going to create a BZ for that.

Upstream patch: https://github.com/ClusterLabs/pcs/commit/2f3cd689e38fec824644bbeae3bad2e5accecb5b

Test:
1. disable pcs web UI
2. access pcs web UI and receive a 404 page
3. access /remote/capabilities URL and receive a 401 page
4. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'" in both cases

DevTestResults:

[root@r08-09-a ~]# rpm -q pcs
pcs-0.10.16-1.el8.x86_64

Response headers on requests for index.html and favicon.ico both contain the desired CSP policy:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 May 2023 15:30:04 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69

The same test as in bz2160664 comment 11 was used to verify this bz. Marking as VERIFIED for pcs-0.10.17-2.el8.