Drop only CSP header when oidcDropCspHeaders is set, not CORS headers
When relying party is the browser, Chromium refuses to query OIDC endpoints without CORS headers
When relying party is the browser, Chromium refuses to query OIDC endpoints without CORS headers