DEV: Add manifest-src to CSP (#13319)

Defaults to `manifest-src: 'self'` and allows plugins/themes to extend it.

lib/content_security_policy/builder.rb

@@ -6,6 +6,7 @@ class ContentSecurityPolicy
     EXTENDABLE_DIRECTIVES = %i[
       base_uri
       frame_ancestors
+      manifest_src
       object_src
       script_src
       worker_src
@@ -19,7 +20,6 @@ class ContentSecurityPolicy
       form_action
       frame_src
       img_src
-      manifest_src
       media_src
       prefetch_src
       style_src

lib/content_security_policy/default.rb

@@ -14,6 +14,7 @@ class ContentSecurityPolicy
         directives[:worker_src] = worker_src
         directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
         directives[:frame_ancestors] = frame_ancestors if restrict_embed?
+        directives[:manifest_src] = ["'self'"]
       end
     end