I have a nextjs site and am using the edge functions to set headers, this is the value of the CSP header
default-src 'self' https://api.sanity.io https://apicdn.sanity.io; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.sanity.io data:; upgrade-insecure-requests;
The build is passing and the built netlify.toml looks fine (bellow is only the CSP part)
[[headers]]
for = "/(.*)"
[headers.values]
Content-Security-Policy = "default-src 'self' https://api.sanity.io https://apicdn.sanity.io; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.sanity.io data:; upgrade-insecure-requests ;"
When I remove the “upgrade-insecure-requests” policy all the other policies show up. The other headers I set in the edge function are not affected.