nginx/csp: allow favicons for backend requests

[alxndrsn]

Closes #1851

What has been done to verify that this works as intended?

• updated tests
• tested in dev

Why is this the best possible solution? Were any other approaches considered?

• blanket policy for all backend responses
• ultimately should be moved to Content-Security-Policy instead of Content-Security-Policy-Report-Only, at which point care will need to be taken to ensure it's only set if no Content-Security-Policy is provided by odk-central-backend.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

• No visible effect or risk of regression - currently report only.
• Should prevent img-src CSP violation reports being sent for favicon.ico requests, reducing users' bandwidth if they ever encountered this.
• Relaxation of current policy, so should not block previously-available content.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

• branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
• verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced