Torrent Viewer CSP rule blocks <iframe> content

Torrent content is rendered into <iframe> when it's not video or audio
content. For example, a .jpg or a .pdf file. This is because we're
using a viewer page that includes the content; we're not returning the
content directly.

This is because the torrent may not be active and in that case, we show
the "Start Download?" page.

When this occurs, CSP prevents the iframe from loading content from the
webtorrent server at http://localhost:port

This is because we only make a CSP exception for media elements, not
iframe elements. This is an easy fix.

Fixes: #7243

app/extensions.js

@@ -166,22 +166,23 @@ let generateTorrentManifest = () => {
   let cspDirectives = {
     'default-src': '\'self\'',
     // TODO(bridiver) - remove example.com when webtorrent no longer requires it
+    //                  (i.e. once Brave uses webpack v2)
     'connect-src': '\'self\' https://example.com',
     'media-src': '\'self\' http://localhost:*',
     'form-action': '\'none\'',
     'referrer': 'no-referrer',
     'style-src': '\'self\' \'unsafe-inline\'',
-    'frame-src': '\'self\''
+    'frame-src': '\'self\' http://localhost:*'
   }
 
   if (process.env.NODE_ENV === 'development') {
     // allow access to webpack dev server resources
     let devServer = 'localhost:' + process.env.npm_package_config_port
-    cspDirectives['default-src'] = '\'self\' http://' + devServer
+    cspDirectives['default-src'] += ' http://' + devServer
     cspDirectives['connect-src'] += ' http://' + devServer + ' ws://' + devServer
-    cspDirectives['media-src'] = '\'self\' http://localhost:* http://' + devServer
-    cspDirectives['frame-src'] = '\'self\' http://' + devServer
-    cspDirectives['style-src'] = '\'self\' \'unsafe-inline\' http://' + devServer
+    cspDirectives['media-src'] += ' http://' + devServer
+    cspDirectives['frame-src'] += ' http://' + devServer
+    cspDirectives['style-src'] += ' http://' + devServer
   }
 
   return {