Refine CSP frame-src and connect-src configuration

Blog:
- Remove unused frame-src entries for domains that renderer
  normalizes to canonical URLs (3speak.tv handles all variants)
- Remove frame-src entry for unavailable embed subdomain

Wallet:
- Remove images.hive.blog from connect-src as wallet only
  accesses it via server-side API routes, not client-side fetch