Allow OAuth redirect_uri host in form-action CSP on sign-in pages

Safari enforces form-action against every hop in a form submission's
redirect chain. When a user signed in (with TOTP, or through a
skip_consent OIDC app), the chain /signin or /totp-verification ->
/oauth/authorize -> external client got blocked at the cross-origin
hop because form-action was 'self'. The existing dynamic CSP widening
in OidcController#authorize only ran when the consent page rendered,
so skip_consent and pre-consented flows had no widening at all.

Add allow_oauth_redirect_in_csp on the sign-in and TOTP pages, which
pulls the OAuth redirect_uri out of session[:return_to_after_authenticating]
and appends its host to form-action for the rendered page.

app/controllers/sessions_controller.rb

@@ -28,6 +28,8 @@ class SessionsController < ApplicationController
       end
     end
 
+    allow_oauth_redirect_in_csp
+
     respond_to do |format|
       format.html # render HTML login page
       format.json { render json: {error: "Authentication required"}, status: :unauthorized }
@@ -154,6 +156,8 @@ class SessionsController < ApplicationController
     @user_has_webauthn = user&.can_authenticate_with_webauthn?
     @pending_email = user&.email_address
 
+    allow_oauth_redirect_in_csp
+
     # Just render the form
   end