puppet: Add Content-Security-Policy for user avatars.

This adds a basic Content-Security-Policy for user-uploaded avatars
served by the LOCAL_UPLOADS backend.

I think this is for now an unnecessary follow-up to
d608a9d315, but is worth doing because
we may later change what can be uploaded in the avatars directory.

puppet/zulip/files/nginx/sites-available/zulip-enterprise

@@ -14,6 +14,7 @@ server {
 
     location /user_avatars {
         add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy "default-src 'none' img-src 'self'";
         include /etc/nginx/zulip-include/uploads.types;
         alias /home/zulip/uploads/avatars;
     }