Respect openid_connect_content_security_form_action_enabled configuration only on client-side redirects

[mitchellhenke]

🛠 Summary of changes

Following on the long history of #10036, #9790, #9755, #9669, this PR intends to align the behavior of the overly configurable OIDC redirect behavior with openid_connect_content_security_form_action_enabled.

Currently, openid_connect_content_security_form_action_enabled will enable/disable entirely without respect for whether it is needed. This is because the original implementation intended to cut over all redirects to client-side, and then later disable and remove the form-action Content Security Policy (CSP). This is no longer feasible in the near-term. The changes here intend to disable the form-action CSP if and only if openid_connect_content_security_form_action_enabled is disabled and the OIDC redirect method is not server_side. This will allow us to remove the form-action CSP behavior more selectively while maintaining backwards compatibility with service providers that are not able to move to client-side redirects at this point.

A more detailed explanation is available here and here.