FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)

- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly

lib/content_security_policy/builder.rb

@@ -25,8 +25,8 @@ class ContentSecurityPolicy
       style_src
     ].freeze
 
-    def initialize
-      @directives = Default.new.directives
+    def initialize(base_url:)
+      @directives = Default.new(base_url: base_url).directives
     end
 
     def <<(extension)