fix: use custom directive as-is when overriding csp and the default is 'none'

[nkgentile]

WHY are these changes introduced?

Fixes #2064

When extending the default content security policy, if the underlying default directive was set to none (for example, frameAncestors) then createContentSecurityPolicy would merge it with the custom directive and return a header with frame-ancestors 'self' 'none';.

In Chrome, the browser will log an error in the console:

The Content-Security-Policy directive 'frame-ancestors' contains the keyword 'none' alongside with other source expressions. The keyword 'none' must be the only source expression in the directive value, otherwise it is ignored.

WHAT is this pull request doing?

This small PR adjusts the createContentSecurityPolicy helper so that when the default directive is none it won't merge the default into the custom directive.

Checklist

• I've read the Contributing Guidelines
• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've added a changeset if this PR contains user-facing or noteworthy changes
• I've added tests to cover my changes
• I've added or updated the documentation

[nkgentile]

I have signed the CLA!

[michenly]

I suggested an improvement, but the current solution is sound as well.

Don't forget to add changeset!

[michenly]

❤️ thank you for the contribution!

[nkgentile]

Thank you for the swift review!