fix: Example allows manifest from self

- Given example is quite handy starting copy&paste.
- Unfortunatelly for Chrome with modern Ember apps it gives:

```
assessment:1 Refused to load manifest from 'http://localhost:4200/manifest.webmanifest' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.
```

- This patch makes the README as a nicer starting point.

README.md

@@ -102,13 +102,14 @@ module.exports = function (environment) {
     enabled: true,
     failTests: true,
     policy: {
-      'default-src': ["'none'"],
-      'script-src': ["'self'"],
-      'font-src': ["'self'"],
-      'connect-src': ["'self'"],
-      'img-src': ["'self'"],
-      'style-src': ["'self'"],
-      'media-src': ["'self'"],
+       'default-src':  ["'none'"],
+       'script-src':   ["'self'"],
+       'font-src':     ["'self'"],
+       'connect-src':  ["'self'"],
+       'img-src':      ["'self'"],
+       'style-src':    ["'self'"],
+       'manifest-src': ["'self'"],
+       'media-src':    ["'self'"],
     },
     reportOnly: true,
   };
@@ -142,6 +143,8 @@ module.exports = function (environment) {
       'img-src': ["'self'"],
       // Allow CSS loaded from https://fonts.googleapis.com
       'style-src': ["'self'", 'https://fonts.googleapis.com'],
+      // Allow manifest from the origin itself (i.e. current domain)
+      'manifest-src': ["'self'"],
       // Omit `media-src` from policy
       // Browser will fallback to default-src for media resources (which is 'none', see above)
       'media-src': null,

lib/utils.js

@@ -81,6 +81,7 @@ function calculateConfig(environment, ownConfig, runConfig, ui) {
       'connect-src': [CSP_SELF],
       'img-src': [CSP_SELF],
       'style-src': [CSP_SELF],
+      'manifest-src': [CSP_SELF],
       'media-src': [CSP_SELF],
     },
     reportOnly: true,