fix(csp): allow http: iframes so Spoolman loads on HTTP LAN hosts (#1054)

  The strict CSP shipped in 0.2.3b4 / 0.2.3.1 whitelisted only `https:`
  for `frame-src`, so the Filament tab's Spoolman iframe was blocked
  on the typical self-host setup where Spoolman runs on plain HTTP on
  a LAN. Reporter saw a blank Filament page with a brief Spoolman
  flash on reload and a browser-console CSP violation pointing at
  `http://<host>:7912/spool`.

  Allow `http:` as well, matching the `connect-src 'self' ws: wss:`
  pattern already used for WebSockets. `frame-ancestors 'none'` still
  prevents Bambuddy itself from being framed cross-origin, which is
  the protection that actually matters for clickjacking defense.

backend/app/main.py

@@ -4341,7 +4341,7 @@ async def security_headers_middleware(request, call_next):
         "font-src 'self' data: https://fonts.gstatic.com; "
         "object-src 'none'; "
         "base-uri 'self'; "
-        "frame-src 'self' https:; "
+        "frame-src 'self' http: https:; "
         "frame-ancestors 'none';"
     )
     if request.url.scheme == "https":