Upgrade-insecure-requests CSP policy makes the header show up as empty

I have a nextjs site and am using the edge functions to set headers, this is the value of the CSP header
default-src 'self' https://api.sanity.io https://apicdn.sanity.io; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.sanity.io data:; upgrade-insecure-requests;
The build is passing and the built netlify.toml looks fine (bellow is only the CSP part)

[[headers]]
for = "/(.*)"

  [headers.values]
  Content-Security-Policy = "default-src 'self' https://api.sanity.io https://apicdn.sanity.io; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.sanity.io data:; upgrade-insecure-requests ;"

When I remove the “upgrade-insecure-requests” policy all the other policies show up. The other headers I set in the edge function are not affected.

hey @Hmmm thanks for writing in! Can you provide a URL where this issue is visible, or let us know how we can otherwise replicate it on our end? Looking forward to hearing from you!