[13.x] Improve origin verification in PreventRequestForgery

[SanderMuller]

Summary

This PR makes three focused improvements to the PreventRequestForgery middleware shipped in #58400:

1. Handle Sec-Fetch-Site: none as a safe value. The browser sets none when there is no external origin involved (e.g., forms on file:// pages, browser extensions). This is a bugfix for originOnly mode, which incorrectly throws OriginMismatchException for these requests. Go 1.25 and the OWASP Fetch Metadata policy both treat none as safe.

2. Fall back to Origin header when Sec-Fetch-Site is absent. Clients that don't send Sec-Fetch-Site (plain HTTP contexts, older browsers, some WebViews) are forced through token validation even when the Origin header already proves the request is same-origin. This adds a lightweight Origin vs Host comparison using Symfony's getSchemeAndHttpHost(). In default mode, mismatches fall through to tokensMatch(). In originOnly mode, a matching Origin now correctly passes instead of throwing.

3. Helpful error message on HTTP in originOnly mode. Browsers don't send Sec-Fetch-Site over insecure connections. When originOnly is enabled on plain HTTP, the exception now says "Origin verification requires a secure connection" instead of the generic "Origin mismatch", so developers know exactly what to fix.

Changes

• hasValidOrigin(): accepts none, falls back to Origin-vs-Host, improved error on HTTP
• originMatchesHost(): new protected method (6 lines), compares Origin header against $request->getSchemeAndHttpHost()

Precedent

• Go 1.25 CrossOriginProtection: same three-tier strategy (Sec-Fetch-Site → Origin → allow non-browser)
• Rails 8.2 PR #56350 / PR #56580: Sec-Fetch-Site verification + HTTP hotfix
• OWASP Fetch Metadata policy: lists none as safe, recommends Origin fallback
• Filippo Valsorda (words.filippo.io/csrf/): reference algorithm