Previously, when a js_access handler called r.return(status, body),
ngx_http_send_response() sent the response but returned NGX_OK. The
access handler then returned NGX_OK to the phase engine, which treated
the access check as allowed and continued to the content phase.
As a result, a denied request could still reach proxy_pass or another
content handler after the response had already been sent.
Now the access handler finalizes the request if a response was already
sent during js_access execution. This keeps r.return() behavior in
js_content unchanged, while making r.return(status, body) terminal in
js_access.