fix: use custom directive as-is when overriding csp and the default is 'none' #2076
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WHY are these changes introduced?
Fixes #2064
When extending the default content security policy, if the underlying default directive was set to
none
(for example,frameAncestors
) thencreateContentSecurityPolicy
would merge it with the custom directive and return a header withframe-ancestors 'self' 'none';
.In Chrome, the browser will log an error in the console:
WHAT is this pull request doing?
This small PR adjusts the
createContentSecurityPolicy
helper so that when the default directive isnone
it won't merge the default into the custom directive.Checklist