Fix privacy.html: add script-src to CSP so legal text renders

privacy.html

@@ -5,7 +5,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>xmrpay.link — Privacy & Terms</title>
   <meta name="description" content="Privacy policy and terms of use for xmrpay.link.">
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
   <link rel="icon" href="favicon.svg" type="image/svg+xml">
   <link rel="stylesheet" href="style.css?v=20260326-3" integrity="sha384-HrVyafi6sY5wzJh/jPfdCAq5WytRoWDiUnZ/Y05Xt2Oz1C+kLZLO47euo7q3fv46" crossorigin="anonymous">
   <style>
@@ -212,7 +212,7 @@
     <div class="lang-dropdown" id="langDropdown"></div>
   </div>
 
-  <script src="i18n.min.js?v=20260326-3" defer></script>
+  <script src="i18n.min.js?v=20260326-3" integrity="sha384-2e9pIwCQ/KevKVnMp883Bv+DZu3vI8kbVRT89+Grgo6dervhKY+G9hL7wn1Duhfj" crossorigin="anonymous" defer></script>
   <script>
     document.addEventListener('DOMContentLoaded', function () {
       var supported = ['en', 'de', 'fr', 'it', 'es', 'pt', 'ru'];