Change rate-limiting middleware to remove CSP report-only header entirely when not reporting

[robhudson]

Description

Some browsers log a console warning when they detect a Content-Security-Policy-Report-Only header that does not include a report-uri or report-to directive. Currently, the rate-limiting middleware removes these directives when the percentage threshold is reached, leading to this warning.

Proposed Changes

1. For the enforced CSP header:

   • Retain the current behavior: remove the report-uri or report-to directives only when the percentage threshold is reached.

2. For the report-only CSP header:

   • Modify the behavior to completely remove the header when the percentage threshold is reached to avoid unnecessary browser warnings.

[janbrasna]

I'm thinking about the utility of having the RO CSP even without reporting endpoints, or when outside of the %% percentage sample, somehow optionally; for debug/dev purposes.

While it's unfortunate for prod environments given the console warnings, it might have some utility for nonprod use even then, as it still warns if any RO violates, right there in the console.

Didn't think about a good design for such route, effectively being a "config" that would allow emitting even if otherwise not reported for the response, just wanted to share before I forget;)

(Not something blocking this issue/PR, only thinking out loud in case a followup feature making this behavior configurable could make sense.)