Add option to drop CSP headers from OIDC response
Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI. A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP headers from OIDC responses (at least authorization responses)