oidc/callback: tighten Content-Security-Policy

[alxndrsn]

Adds the following directives:

• form-action
• frame-ancestors

Ref:

• nginx/csp: lock down defaults harder central#1533
• csp: ensure all policies include form-action, frame-ancestors central#1742

What has been done to verify that this works as intended?

Tested on dev to ensure:

• can still log in with OIDC
• expected headers are set on /callback

Why is this the best possible solution? Were any other approaches considered?

There's no form on the callback page, and it's not expected to be embedded in a frame.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect, if it's correct.

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No.

Before submitting this PR, please make sure you have:

• run make test and confirmed all checks still pass, or witnessed Github completing all checks with success
• verified that any code from external sources are properly credited in comments or that everything is internally sourced

[matthew-white]

If there's a simple way to deploy there and switch auth to OIDC, that would be ideal.

Possibly relevant: getodk/central#1753

[alxndrsn]

Possibly relevant: getodk/central#1753

More than relevant 🙇 now tested 👍