csp: include report samples where supported

[alxndrsn]

This should help to understand future violations more easily.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#report-sample

Related: #1687

What has been done to verify that this works as intended?

• tests/CI
• tested on dev.getodk.cloud & reviewed Sentry reports

Why is this the best possible solution? Were any other approaches considered?

Alternative approach would be to only include in directives relevant to #1687

However, there might be future cases where seeing samples would be useful.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No risk perceived:

• directives which are not understood should be ignored by browsers
• CSP-Report-Only issues shouldn't have any effects on the user anyway

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

• branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
• verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced