uploads-internal: Mark `self` as a valid source of loading media.

Without this, browser refused to play the video. To reproduce press `open`
on an uploaded video on CZO. Chrome gives us the following error
in console:

Refused to load media from '<source>' because it violates the
following Content Security Policy directive: "default-src 'none'".
Note that 'media-src' was not explicitly set, so 'default-src' is
used as a fallback.

puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf

@@ -2,7 +2,7 @@
 location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
     internal;
     include /etc/nginx/zulip-include/headers;
-    add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
+    add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
 
     # The components of this path are originally double-URI-escaped
     # (see zerver/view/upload.py).  "location" matches are on
@@ -46,7 +46,7 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
 location /internal/local/uploads {
     internal;
     include /etc/nginx/zulip-include/headers;
-    add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
+    add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
 
     # Django handles setting Content-Type, Content-Disposition, and Cache-Control.