Use {script,style}_src instead of _elem, for better compatibility

Oh, I didn't realize the `_elem` variant of these parts of the
`Content-Security-Policy` is newer, and so doesn't even work on my
current version of Safari on my Mac.

My rationale at the time was: `script_src_elem` is stricter against
things like imports, and I figured, ok let's do the strictest policy
that works. But since it's not fully compatible with browsers even
*I'm* using right now, and I'm not aware of an actual problem it would
prevent, let's back off that a bit! This should have the same effective
security properties for our case.

Note that the effect of this compatibility issue wasn't *weakening* the
policy; it was being *too* strict, by blocking the scripts and the
stylesheets. This is because `script_src_elem` was ignored, and
`script_src` was absent, so it fell back to `default_src none`.

app/controllers/swf_assets_controller.rb

@@ -15,7 +15,7 @@ class SwfAssetsController < ApplicationController
 			)
 		}
 
-		policy.script_src_elem -> {
+		policy.script_src -> {
 			src_list(
 				helpers.javascript_url("lib/easeljs.min"),
 				helpers.javascript_url("lib/tweenjs.min"),
@@ -24,7 +24,7 @@ class SwfAssetsController < ApplicationController
 			)
 		}
 
-		policy.style_src_elem -> {
+		policy.style_src -> {
 			src_list(
 				helpers.stylesheet_url("swf_assets/show"),
 			)