fix: add CSRF header to video thumbnail PUT requests

The double-submit CSRF middleware blocks all mutating requests
without the X-CSRF-Token header. photos.js was uploading video
thumbnails via PUT without it, causing a flood of 403 errors.

- Add getCsrfHeaders() spread to the fetch headers
- Add credentials: 'same-origin' to ensure cookie is sent

Author: Diocrafts

static/js/features/library/photos.js

@@ -282,12 +282,13 @@ const photosView = {
                 // Upload to server for permanent caching
                 const token = localStorage.getItem('token')
                     || sessionStorage.getItem('token');
-                const headers = { 'Content-Type': blob.type };
+                const headers = { 'Content-Type': blob.type, ...getCsrfHeaders() };
                 if (token) headers['Authorization'] = `Bearer ${token}`;
 
                 fetch(`/api/files/${fileId}/thumbnail/preview`, {
                     method: 'PUT',
                     headers,
+                    credentials: 'same-origin',
                     body: blob,
                 }).then((resp) => {
                     if (resp.ok) {