This PR was merged into the 3.2 branch.
Don't add csp-headers if none are required
| Q | A
| ------------- | ---
| Branch? | 3.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | This PR is also the ticket
| License | MIT
In 3.2 a tool to adjust Content Security Policy headers in combination with the WebProfiler was added. We encountered a bug in its behavior.
This PR fixes the scenario where no default-src nor a script-src/style-src is provided. It simply continue's rather than treats it as an empty list of rules that need additional rules.
~A bug I did find, but not fix, is the fact that that `'unsafe-inline'` is ignored in at least Firefox and Chrome due to the fact there is also a nonce-element in the rule.~
6fecc94 Don't add csp-headers if none are required