fix(security): allow media-src in CSP for external video

Static source sweep found a <video> on the home page (rendered when a
user disables all content sections) sourced from video.twimg.com.
media-src was unset, so it fell back to default-src 'self' and would be
blocked. Add media-src 'self' data: blob: https' (matching img-src).

0 files changed, 0 insertions, 0 deletions