nginx/csp: blank.html: allow form-action 'self'

[alxndrsn]

Closes #1856

What has been done to verify that this works as intended?

Updated tests.

Why is this the best possible solution? Were any other approaches considered?

Violations were reported to Sentry. An alternative would be to make the decrypt downloading in central-frontend less arcane. But that's not likely to be on the cards.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Should prevent incorrect reports.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

• branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
• verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

[matthew-white]

An alternative would be to make the decrypt downloading in central-frontend less arcane. But that's not likely to be on the cards.

I'm certainly open to it! It doesn't strike me as a priority, but I definitely agree that it's arcane.