feat(editor): Add Env vars for auth cookie samesite and csp headers

[maspio]

Summary

Advanced deployment scenarios like embedding n8n requires customization to security headers. Manipulating headers can be achieved using proxies like nginx or traefik, but it's hard to learn and too demanding for running quick POCs. To embed n8n's UI in an iframe you need to be able to customize the following headers:

• Make the n8n-auth cookie work in an iframe by setting header attributes samesite=none and secure. We already have the env var N8N_SECURE_COOKIE for the secure attribute. This adds the N8N_SAMESITE_COOKIE env var.
• To block embedding in iFrames n8n is setting X-Frame-Options: SAMEORIGIN, so that the page can only be displayed if all ancestor frames have the same origin to the page itself. That does not work for iFrames, since the embedding page will most likely have a different origin (subdomains don't work). This PR adds the env var N8N_CONTENT_SECURITY_POLICY to set CSP headers as json object definition according to helmet.js. With CSP headers we can set frame-ancestors: ["http://example.com"], to specify what parent source may embed a page. The frame-ancestors directive overrules the X-Frame-Options header and is the preferred way to speficy embedding page origins.

Notes:

• We set helmet's contentSecurityPolicy.useDefaults=false to force engineers to always define their own default-src when defining csp headers, e.g. default-src 'self'.

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)