nginx/csp/frontend: fix: OpenLayers (map) worker-src

Split from https://github.com/getodk/central/pull/1526/files#r2587794987

The only identifiable Worker in frontend is from OpenLayers for displaying maps, and requires blob:, not data:.

Incorrect map-specific CSP introduced in getodk#1468.

Author: lognaturel

files/nginx/odk.conf.template

@@ -186,7 +186,7 @@ server {
 
     # Rules set to 'none' here would fallback to default-src if excluded.
     # They are included here to ease interpretation of violation reports.
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data: https://translate.google.com; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src data:; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data: https://translate.google.com; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
 
     include /usr/share/odk/nginx/common-headers.conf;
   }

test/nginx/test-nginx.js

@@ -50,7 +50,7 @@ const contentSecurityPolicies = {
     'script-src':     self,
     'style-src':      self,
     'style-src-attr': unsafeInline,
-    'worker-src':     'data:',
+    'worker-src':     'blob:',
     'report-uri':     '/csp-report',
   }),
   'disallow-all': {