backport 1313937 CSP: Enforce 'strict-dynamic' within default-src
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/117
Fixed a bug where the Content-Security-Policy
strict-dynamic
source expression was not being enforced indefault-src
directives. The behavior now matches the specification wheredefault-src
directive values are used as a fallback whenscript-src
is not provided (Firefox bug 1313937).
feel free to close if not important