Include the primary domain in the Content-Security-Policy explicitly if there's no CDN
Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.
When there's no CDN, include the primary domain in the CSP explicitly.
Test Plan: Loaded local.www.phacility.com, got resources.
Maniphest Tasks: T4340
Differential Revision: https://secure.phabricator.com/D19170