QR is not shown when enrolling an MFA in cloud

[ahmadbabaeimoghadam]

Expected Behavior

QR code image is shown during enrolling an MFA for cloud instances.

Current Behavior

The slack thread related to this: https://graylog.slack.com/archives/C024KUJUB/p1718799036184369

When a newly created user logs into a Cloud instance for the first time and are taken through the MFA enrollment steps, the QR code image fails to load. There is an accompanying content security policy error in the browser console.
They haven't created a new user in a while, but pretty sure this worked in the past on 5.x releases.
To rule out any issues with their corporate network policies, confirmed the same issue occurs when accessed from an external device.
Steps to recreate:

1. Create a new user in the Graylog portal
2. Attempt to log in as the new user and follow the MFA onboarding steps until the QR Code page
3. QR Code fails to load as shown in above screenshot with accompanying console error.

Possible Solution

This is the culprit, and the Cloud customers' domains are graylog.cloud not .org.

Content-Security-Policy: The page's settings blocked the loading of a resource (img-src) at https://graylog.okta.com/api/v1/users/00uk7t3culRZgMbQo4x7/factors/opfk7t2t8iFzFlRqa4x7/qr/20111IMYzZD8pF_3OGE7hQ-qt-4XwX6EQ8SoeAnqisJ40u62Ino1mXf because it violates the following directive: "img-src 'self' data: https://*.tile.openstreetmap.org https://graylog.org/"

A possible solution https://graylog.slack.com/archives/C024KUJUB/p1718886864553589?thread_ts=1718799036.184369&cid=C024KUJUB:

i would suggest we create a new cloud group (similar to default and swagger) for it, so we can separate things properly and do not include graylog.okta.com in our CSP for on premise unnecessarily

Steps to Reproduce (for bugs)

1. Try to enroll an MFA in a cloud instance

Context

Your Environment

• Graylog Version: Graylog Cloud 6.0.4 (479)
• Java Version:
• OpenSearch Version: v2.11 AWS
• MongoDB Version:
• Operating System:
• Browser version: