Revert "Update headers and CSP value (#7904)"

customHttp.yml

@@ -12,10 +12,6 @@ customHeaders:
         value: '1; mode=block'
       - key: 'X-Content-Type-Options'
         value: 'nosniff'
-      - key: 'Cache-Control'
-        value: 'no-store, no-cache'
-      - key: 'Pragma'
-        value: 'no-cache'
       - key: 'Content-Security-Policy'
-        value: "upgrade-insecure-requests; frame-ancestors 'none';"
+        value: 'upgrade-insecure-requests;'
       # CSP also set in _document.tsx meta tag

src/pages/_document.tsx

@@ -62,8 +62,6 @@ const getCspContent = (context) => {
   if (process.env.BUILD_ENV !== 'production') {
     return `
       default-src 'none';
-      object-src 'none';
-      base-uri 'none';
       style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
       font-src 'self' data:;
       frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -87,8 +85,6 @@ const getCspContent = (context) => {
   // Have to keep track of CSP inside customHttp.yml as well
   return `
     default-src 'none';
-    object-src 'none';
-    base-uri 'none';
     style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
     font-src 'self';
     frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -106,7 +102,6 @@ const getCspContent = (context) => {
     script-src 'self' ${cspInlineScriptHash} ${ANALYTICS_CSP.prod.script.join(
       ' '
     )} ${ANALYTICS_CSP.all.script.join(' ')};
-    require-trusted-types-for 'script';
   `;
 };