apache2: Allow downloads in openvpn and backups with latest browsers

Closes: #2002.

Entire FreedomBox UI is served within a sandbox that is originally meant for
cross-site iframes.

A newly introduced flag allow-downloads is required to trigger downloads. Two
instances where this is used in FreedomBox is openvpn profiled download and
backup download. Firefox 81 and Chrome 83 implement this flag.

Add 'allow-downloads' to sandbox directives to fix this.

References:

- whatwg/html#4293
- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
- https://bugzilla.mozilla.org/show_bug.cgi?id=1558394
- https://www.chromestatus.com/feature/5706745674465280

Tests:

- Check that OpenVPN profile can be downloaded.
- Check that backups can be downloaded.
- Check on Firefox 78 and Chromium 83.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>

data/etc/apache2/conf-available/freedombox.conf

@@ -46,7 +46,7 @@ RedirectMatch "^/freedombox" "/plinth"
 ##
 <Location /plinth>
     Header set Referrer-Policy 'same-origin'
-    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
     Header set X-Content-Type-Options 'nosniff'
 </Location>