The CSP gets adapted to remote objects being allowed or not.
It can be configured or disabled via the config option
`content_security_policy` (and
`content_security_policy_add_allow_remote`).

If people write a lax default CSP they might set the additional config
option to the blank string, or false. Then the CSP header should not
contain that value.

This way the code always has values it can work with, no matter how good
or broken the
configuration is.

Previously the code also treated `'false'` (the string) as invalid, but
that's a very specific check against a specific edge case, which
wouldn't even break the code (but will only make the browser complain),
so I'm dropping that check.

The config value might be something else than a string.

In the previous way useless semicolons could have happened.

We still support PHP v7, which doesn't support union types.

phpstan complains that `assertIsArray($config)` will always fail because
it doesn't know about the side effects of `require`ing the default
config.