From 3e83778b62e29b8ab87cb2eb3de3c61992c1c93e Mon Sep 17 00:00:00 2001
From: Sam Bauers <sam@wopr.com.au>
Date: Tue, 20 Dec 2022 17:59:05 +1100
Subject: [PATCH] fix(buildCSPHeaders): remove 'none' when appropriate

The value 'none' should not be mixed with other CSP values. This change
removes the value 'none' if there is more than one value present in any
directive.
---
 lib/buildCSPHeaders.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/buildCSPHeaders.js b/lib/buildCSPHeaders.js
index 3ecf3c9..be4aad0 100644
--- a/lib/buildCSPHeaders.js
+++ b/lib/buildCSPHeaders.js
@@ -34,8 +34,13 @@ function getCSPDirective(value, defaultValue, mergeDefaultDirectives = false) {
 	// de-duplicate merged values
 	const uniqueValueArray = [...new Set(mergedValueArray)]
 
+	// remove value "'none'" if the array contains other values
+	const validValueArray = uniqueValueArray.length > 1
+		? uniqueValueArray.filter((v) => v !== "'none'")
+		: uniqueValueArray
+
 	// only return user configured values if present, otherwise return default
-	return uniqueValueArray.length > 0 ? uniqueValueArray : defaultValueArray
+	return validValueArray.length > 0 ? validValueArray : defaultValueArray
 }
 
 module.exports = function buildCSPHeaders(options = {}) {