netlify dev error: Invalid character in header content ["Content-Security-Policy"]

[dinosoeren]

Describe the bug

error details:

⬥ No app server detected. Using simple static server
⬥ Running static server from "walls.dev/public"
⬥ Setting up local dev server

⬥ Static server listening to 3999

   ╭─────────────────────── ⬥  ────────────────────────╮
   │                                                   │
   │   Local dev server ready: http://localhost:8888   │
   │                                                   │
   ╰───────────────────────────────────────────────────╯

 ›   Error: Netlify CLI has terminated unexpectedly
This is a problem with the Netlify CLI, not with your application.
If you recently updated the CLI, consider reverting to an older version by running:

npm install -g netlify-cli@VERSION

You can use any version from https://ntl.fyi/cli-versions.

Please report this problem at https://ntl.fyi/cli-error including the error details below.

TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["Content-Security-Policy"]
    at ServerResponse.setHeader (node:_http_outgoing:658:3)
    at file:///home/ganesh/.nvm/versions/node/v18.20.5/lib/node_modules/netlify-cli/dist/utils/proxy.js:555:21
    at Array.forEach (<anonymous>)
    at IncomingMessage.onEnd (file:///home/ganesh/.nvm/versions/node/v18.20.5/lib/node_modules/netlify-cli/dist/utils/proxy.js:553:42)
    at IncomingMessage.emit (node:events:529:35)
    at endReadableNT (node:internal/streams/readable:1400:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

  System:
    OS: Linux 6.8 Linux Mint 22 (Wilma)
    CPU: (16) x64 AMD Ryzen 7 5800U with Radeon Graphics
  Binaries:
    Node: 18.20.5 - ~/.nvm/versions/node/v18.20.5/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v18.20.5/bin/yarn
    npm: 10.9.2 - ~/.nvm/versions/node/v18.20.5/bin/npm
  Browsers:
    Chrome: 140.0.7339.207
  npmGlobalPackages:
    netlify-cli: 23.9.1

Steps to reproduce

1. use the provided netlify.toml for a hugo project
2. run netlify dev

Configuration

[build.environment]
HUGO_VERSION = "0.145.0"
DART_SASS_VERSION = "1.89.2"
NODE_VERSION = "22"
TZ = "America/Denver"

[build]
publish = "public"
command = """\
  curl -LJO https://github.com/sass/dart-sass/releases/download/${DART_SASS_VERSION}/dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz && \
  tar -xf dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz && \
  rm dart-sass-${DART_SASS_VERSION}-linux-x64.tar.gz && \
  export PATH=/opt/build/repo/dart-sass:$PATH && \
  hugo --gc --minify && \
  staticrypt public/admin/* -r -d public/admin/ -t public/staticrypt/template.txt \
  """

[[plugins]]
  package = "@netlify/plugin-csp-nonce"
  [plugins.inputs]
    reportOnly = false

# Custom headers — https://docs.netlify.com/routing/headers/#syntax-for-the-netlify-configuration-file
[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "SAMEORIGIN"
    X-Clacks-Overhead = "GNU Terry Pratchett"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "strict-origin"
    Content-Security-Policy =  """
    base-uri 'self';
    connect-src 'self' https://giscus.app https://fonts.googleapis.com https://fonts.gstatic.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://9042e694.sibforms.com/ https://api.bloggify.net/gh-calendar/ https://cdn.jsdelivr.net/npm/three@0.160.0/ https://img.youtube.com https://i3.ytimg.com https://mermaid.ink/img/ https://*.giphy.com/media/ https://mirrors.creativecommons.org https://upload.wikimedia.org https://api.github.com https://www.githubstatus.com/api/ https://avatars.githubusercontent.com https://dinosoeren.github.io/ https://unpkg.com/decap-cms-widget-ai-chat@1.0.0/ https://unpkg.com/decap-cms@3.8.4/ https://unpkg.com/@sveltia/ https://unpkg.com/react@18/ https://unpkg.com/react-dom@18/;
    default-src 'self';
    frame-src https://www.youtube.com https://www.linkedin.com https://giscus.app https://9042e694.sibforms.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/;
    frame-ancestors 'none';
    font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com https://assets.brevo.com;
    img-src 'self' data: https://*.google-analytics.com https://*.googletagmanager.com https://img.youtube.com https://mermaid.ink/img/ https://*.giphy.com/media/ https://mirrors.creativecommons.org https://upload.wikimedia.org;
    object-src 'none';
    script-src 'self' 'strict-dynamic' 'sha256-+axL5ALXHS1eHiA/vM8l+cdv3Pc9grMTd6E5vjQ63vg=' 'sha256-9us6GLywqjRGNlZQZICriNGoh77Eiz7t35eiYzpmEDk=' 'sha256-bs5MJFx0gKj7O0/2XeLmuuxZWxtjIVvXcKwYVwb8Qk0=' 'sha256-T25p6sauw3TToLTuRA8qb6w+HpjpQB9xyoKWZ6RBkDQ=' 'sha512-TuSWMwNJIHM8uYZkGfRj2UuEcBOE+H831rq26IIAP1NAKLfqAoEVePf6ZoawI7+iPnXW38CvWZ4ALYItfRnOCg==' 'sha384-7e5ktBfAIchJbfKTUj8cc1hR/kAs26/Xmvzn1bvIpuUyQZ17CH9LWXgJXOk23fTr' 'sha256-b9haVlfsp9On/X9FHtMz5zPPPsNwRpI3/qJDfIIgX5E=' 'sha256-ZITGvly02DMal21Tf24ohSq2IkmYZ/moxfNBbGq5hGU=' ;
    style-src 'self' 'sha256-LkfV7UYb22ijK10Jesbq54E5GQajnNJBLJ0e2mbEkjU=' 'sha256-mzE4Rbqaerc9M9ovvL0Asyk23uvc8WjljwkcHxIoUs0=' https://giscus.app https://sibforms.com/forms/ https://fonts.googleapis.com;
    upgrade-insecure-requests;
    """
    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
    Access-Control-Allow-Origin = "*" # see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
    # Cache-Control= "public, max-age=86400" # 1 day
[[headers]]
  for = "/admin/*"
  [headers.values]
    Content-Security-Policy = """
    base-uri 'self';
    connect-src 'self' https://api.github.com https://www.githubstatus.com/api/ https://unpkg.com https://raw.githubusercontent.com https://generativelanguage.googleapis.com https://api.openai.com https://api.anthropic.com https://openrouter.ai;
    default-src 'self';
    frame-ancestors 'none';
    font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com;
    img-src 'self' data: blob: https://img.youtube.com https://i3.ytimg.com https://avatars.githubusercontent.com https://unsplash.com https://mermaid.ink/img/ https://*.giphy.com/media/ https://mirrors.creativecommons.org https://upload.wikimedia.org;
    object-src 'none';
    script-src 'self' 'strict-dynamic' 'unsafe-eval' 'sha256-+axL5ALXHS1eHiA/vM8l+cdv3Pc9grMTd6E5vjQ63vg=' 'sha512-TuSWMwNJIHM8uYZkGfRj2UuEcBOE+H831rq26IIAP1NAKLfqAoEVePf6ZoawI7+iPnXW38CvWZ4ALYItfRnOCg==' 'sha384-JNjmpWfdPuQ3I7ac38W0teoHcVxx7YdfDVpcgehfGqcu6ZBt26m/nmmBM2FzuO41' 'sha256-MRThEXY/rtL2unwJv3g31UoPJWsJ6FdNEW10zNJPFaQ=' 'sha256-+kdwuipOl8BHqdF/MIZ4gz8V2MyVEaJTTYEDID9jfYo=' 'sha384-/s+LkJSAVZkMICkNvBrI1Ims+iwqUCUL9ijFXKBmm1miABVEbPcg8tm7iHrYvis/' 'sha256-gXZQeV8CmNikertlboX5nZF8bAwQRWHGFP3RR8BVmPE=' 'sha384-grMdBSv5zWmMxe1f2yXAIqiXIgylFGhIqXfw0WcQ3ergmmTBANLVJSrYNQTM9P5F' 'sha384-DGyLxAyjq0f9SPpVevD6IgztCFlnMF6oW/XQGmfe+IsZ8TqEiDrcHkMLKI6fiB/Z' 'sha384-gTGxhz21lVGYNMcdJOyq01Edg0jhn/c22nsx0kyqP0TxaV5WVdsSH1fSDUf5YJj1' 'sha256-wW+O13wDm9QFRc/KEEjlvBo0cQMWRclxcSS0wPGfQ9U=' ;
    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
    upgrade-insecure-requests;
    """

Environment

  System:
    OS: Linux 6.8 Linux Mint 22 (Wilma)
    CPU: (16) x64 AMD Ryzen 7 5800U with Radeon Graphics
    Memory: 5.61 GB / 15.03 GB
    Container: Yes
    Shell: 5.2.21 - /bin/bash
  Binaries:
    Node: 18.20.5 - /home/ganesh/.nvm/versions/node/v18.20.5/bin/node
    Yarn: 1.22.22 - /home/ganesh/.nvm/versions/node/v18.20.5/bin/yarn
    npm: 10.9.2 - /home/ganesh/.nvm/versions/node/v18.20.5/bin/npm
  npmGlobalPackages:
    netlify-cli: 23.9.1