stricter csp for video element, use media-src

configs/nginx/snippets/security_headers.conf

@@ -1,5 +1,5 @@
 add_header Cache-Control "public";
-add_header Content-Security-Policy "default-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
+add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;

configs/nginx/snippets/security_headers_nocache.conf

@@ -1,4 +1,4 @@
-add_header Content-Security-Policy "default-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
+add_header Content-Security-Policy "default-src 'self'; media-src 'self' blob:; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
 add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
 add_header X-Frame-Options "sameorigin" always;
 add_header X-Content-Type-Options "nosniff" always;