From 4879c0172a2a66b39b1faa7757c05bb7d24b4036 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Sun, 8 Oct 2023 13:46:32 +0200
Subject: [PATCH] CSP: Allow extending directives with 'none'

---
 config/initializers/content_security_policy.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 7230bc75..dad6c817 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -19,7 +19,8 @@ module CSP
                           else
                             policy.public_send(directive) || []
                           end
-      all_settings = existing_settings + additional_settings
+      all_settings = additional_settings
+      all_settings += existing_settings unless existing_settings == ["'none'"]
       policy.public_send(directive, *all_settings)
     end
   end