Do not add signatures if `unsafe-inline` is enabled

[fritzmg]

Currently signatures are explicitly still added, even if unsafe-inline was already present in the script-src or style-src directive. However, if your application adds a lot of hashes (for style="…" for example) and you decide to instead allow unsafe-inline in general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for example

This PR would automatically not apply any signatures, if unsafe-inline was enabled.

wdyt?