update script-src and worker-src directives

[groovecoder]

Google Tag Manager needs script-src: unsafe-inline and worker-src: blob:. I created this branch to test these updates on the dev server.

This fix already works on dev, because API_DOCS_ENABLED is set to True.

For stage & prod, we will need to set two new env vars:

• CSP_SCRIPT_UNSAFE_INLINE=True
• CSP_WORKER_BLOB=True

How to test on dev:

1. Open a tab to https://analytics.google.com/analytics/web/#/p314403930/realtime/overview
2. Go to https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net/
3. Perform some actions on the page
   • [ ] No activity shows up in GA4
4. Push this branch to the dev server
5. Go to https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net/
6. Perform some actions on the page
   • [ ] Activity shows up in GA4

How to test on stage:

1. Open a tab to https://analytics.google.com/analytics/web/#/p314403930/realtime/overview
2. Go to https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net/
3. Perform some actions on the page
   • [ ] No activity shows up in GA4
4. Push this release to the stage server
   • [ ] Set CSP_SCRIPT_UNSAFE_INLINE=True
   • [ ] Set CSP_WORKER_BLOB=True
5. Go to https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net/
6. Perform some actions on the page
   • [ ] Activity shows up in GA4

• [x] ~l10n changes have been submitted to the l10n repository, if any.~
• [x] ~I've added a unit test to test for potential regressions of this bug.~
• [ ] I've added or updated relevant docs in the docs/ directory.
• [x] ~All UI revisions follow the coding standards, and use Protocol tokens where applicable (see /frontend/src/styles/tokens.scss).~
• [x] ~Commits in this PR are minimal and have descriptive commit messages.~