getDefaultDirectives should do a deep copy

See [#463] and [#465].

[#463]: #463
[#465]: #465

Author: sohrb

middlewares/content-security-policy/index.ts

@@ -68,7 +68,7 @@ const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
   "wasm-unsafe-eval",
 ]);
 
-const getDefaultDirectives = () => ({ ...DEFAULT_DIRECTIVES });
+const getDefaultDirectives = () => structuredClone(DEFAULT_DIRECTIVES);
 
 const dashify = (str: string): string =>
   str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());

test/content-security-policy.test.ts

@@ -581,4 +581,14 @@ describe("getDefaultDirectives", () => {
       contentSecurityPolicy.getDefaultDirectives,
     );
   });
+
+  it("returns a new copy each time", () => {
+    const one = getDefaultDirectives();
+    one["worker-src"] = ["ignored.example"];
+    (one["img-src"] as Array<string>).push("ignored.example");
+
+    const two = getDefaultDirectives();
+    expect(two).not.toHaveProperty("worker-src");
+    expect(two["img-src"]).not.toContain("ignored.example");
+  });
 });