csp: pushDirective duplicates new directive on every non-matching iteration

[hunnyboy1217]

Astro Info

Astro                    v5.x (latest)
Node                     v22.x
Package manager          pnpm
Platform                 linux

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

pushDirective() in packages/astro/src/core/csp/runtime.ts (lines 33–57) pushes the new directive inside the loop for every existing directive whose name doesn't match. The result is a corrupted CSP header whenever Astro.csp.insertDirective(...) is called with a directive name that doesn't already match the first existing directive.

for (const directive of directives) {
  if (deduplicated) {
    finalDirectives.push(directive);
    continue;
  }
  const result = deduplicateDirectiveValues(directive, newDirective);
  if (result) {
    finalDirectives.push(result);
    deduplicated = true;
  } else {
    finalDirectives.push(directive);
    finalDirectives.push(newDirective);  // ❌ pushed once per non-matching iteration
  }
}

Two failure modes follow from this:

1. New directive name doesn't exist in the list. Every iteration takes the else branch and pushes newDirective again.

• existing: ["img-src 'self'", "style-src 'self'"]
• push: "script-src 'self'"
• expected: ["img-src 'self'", "style-src 'self'", "script-src 'self'"]
• actual: ["img-src 'self'", "script-src 'self'", "style-src 'self'", "script-src 'self'"]

2. Match exists, but only after non-matching directives. Every iteration before the match pushes a stray copy of the un-merged newDirective.

• existing: ["img-src 'self'", "script-src 'self'"]
• push: "script-src 'unsafe-inline'"
• expected: ["img-src 'self'", "script-src 'self' 'unsafe-inline'"]
• actual: ["img-src 'self'", "script-src 'unsafe-inline'", "script-src 'self' 'unsafe-inline'"]

The rendered Content-Security-Policy header for case 1 becomes img-src 'self'; script-src 'self'; style-src 'self'; script-src 'self' — the same directive name appearing twice on the wire is malformed CSP and browsers will treat duplicates per their own merging rules.

pushDirective is reachable from user code: Astro.csp.insertDirective(payload) calls pushDirective(result.directives, payload) at render-context.ts lines 580 and 869. result.directives is pre-populated from security.csp.directives config, so any project that combines configured directives with runtime insertDirective calls is affected.

The single existing unit test in packages/astro/test/units/csp/runtime.test.ts (lines 42–50) only covers the case where the new directive's name matches the first existing directive — so neither failure mode above is caught.

The fix is to push newDirective once after the loop, gated on a matched flag, instead of inside the else branch.

What's the expected result?

pushDirective(["img-src 'self'", "style-src 'self'"], "script-src 'self'") should return ["img-src 'self'", "style-src 'self'", "script-src 'self'"] — three directives, no duplicates. Each directive name should appear at most once in the resulting list.

Link to Minimal Reproducible Example

https://github.com/Hunnyboy1217/astro-csp-pushdirective-repro

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

• Reproduced: Yes — both failure modes confirmed on current main (v6.2.2).
• Exploration: Yes — View branch
• Priority: P4: important. Any project that combines configured CSP directives with runtime Astro.csp.insertDirective() calls will produce a malformed Content-Security-Policy header whenever the new directive name doesn't match the first existing directive. This affects a documented, non-experimental API and silently corrupts security headers — browsers handle duplicate directive names unpredictably.

The bug is in the else branch of the loop in pushDirective() at packages/astro/src/core/csp/runtime.ts:51-53. When a loop iteration doesn't find a directive-name match, the code pushes newDirective into the result array immediately — once per non-matching iteration — instead of deferring it to after the loop. This produces duplicate entries for two cases: (1) the new directive name doesn't exist at all, and (2) a match exists but isn't the first element. The sole existing unit test only covered the first-element-match case, so both failure modes shipped undetected.

I found a potential fix for this issue. The fix removes finalDirectives.push(newDirective) from the else branch and adds a post-loop guard: if (!deduplicated) { finalDirectives.push(newDirective); }. Four new unit tests were added covering both failure modes, empty lists, and single non-matching directives. All 26 CSP tests (10 unit + 16 integration) pass with no regressions.

Full Triage Report

Triage Report: Issue #16594

Issue Details

Title: csp: pushDirective duplicates new directive on every non-matching iteration
URL: #16594
Author: Hunnyboy1217
State: Open
Labels: needs triage

Environment

• Astro: v5.x (latest) — reproduced on v6.2.2 (current main)
• Node: v22.x
• Package manager: pnpm
• Platform: linux

Bug Description

The pushDirective() function in packages/astro/src/core/csp/runtime.ts (lines 33–57) pushes the new directive inside the loop's else branch for every existing directive whose name doesn't match. This causes the new directive to be duplicated in the output array.

The root cause is on line 53 of packages/astro/src/core/csp/runtime.ts:

for (const directive of directives) {
  if (deduplicated) {
    finalDirectives.push(directive);
    continue;
  }
  const result = deduplicateDirectiveValues(directive, newDirective);
  if (result) {
    finalDirectives.push(result);
    deduplicated = true;
  } else {
    finalDirectives.push(directive);
    finalDirectives.push(newDirective);  // BUG: pushed once per non-matching iteration
  }
}

Two Failure Modes

Failure Mode 1: New directive name doesn't exist in the list

Every iteration takes the else branch and pushes newDirective again.

• Existing: ["img-src 'self'", "style-src 'self'"]
• Push: "script-src 'self'"
• Expected: ["img-src 'self'", "style-src 'self'", "script-src 'self'"]
• Actual: ["img-src 'self'", "script-src 'self'", "style-src 'self'", "script-src 'self'"]

Failure Mode 2: Match exists, but only after non-matching directives

Every iteration before the match pushes a stray copy of the un-merged newDirective.

• Existing: ["img-src 'self'", "script-src 'self'"]
• Push: "script-src 'unsafe-inline'"
• Expected: ["img-src 'self'", "script-src 'self' 'unsafe-inline'"]
• Actual: ["img-src 'self'", "script-src 'unsafe-inline'", "script-src 'self' 'unsafe-inline'"]

Impact

pushDirective is reachable from user code: Astro.csp.insertDirective(payload) calls pushDirective(result.directives, payload) at render-context.ts. result.directives is pre-populated from security.csp.directives config, so any project that combines configured directives with runtime insertDirective calls is affected. The corrupted CSP header will contain the same directive name appearing multiple times, which is malformed CSP.

Reproduction

Both failure modes were confirmed by importing pushDirective from the built dist/core/csp/runtime.js and testing the exact inputs from the issue:

=== Case 1: New directive name does NOT exist in the list ===
Expected: [ "img-src 'self'", "style-src 'self'", "script-src 'self'" ]
Actual:   [ "img-src 'self'", "script-src 'self'", "style-src 'self'", "script-src 'self'" ]
Result: FAIL (BUG REPRODUCED)

=== Case 2: Match exists but AFTER non-matching directives ===
Expected: [ "img-src 'self'", "script-src 'self' 'unsafe-inline'" ]
Actual:   [ "img-src 'self'", "script-src 'unsafe-inline'", "script-src 'self' 'unsafe-inline'" ]
Result: FAIL (BUG REPRODUCED)

=== Case 3: Match is FIRST element (existing test) ===
Expected: [ "img-src 'self' https://example.com", "default-src 'self'" ]
Actual:   [ "img-src 'self' https://example.com", "default-src 'self'" ]
Result: PASS

Verification

• Verdict: Bug (high confidence)
• The commit that introduced this code (2cf79c23c23, "fix(csp): deduplicate CSP resources fix(csp): deduplicate CSP resources #14940") was explicitly about deduplication — the current behavior contradicts the developer's intent.
• No comments, code patterns, or historical signals suggest the duplication is intentional.
• The deduplicated flag variable name confirms the intent was to push the new directive exactly once.

Fix

Source change (packages/astro/src/core/csp/runtime.ts): Removed finalDirectives.push(newDirective) from the else branch inside the loop. Added a post-loop guard: if (!deduplicated) { finalDirectives.push(newDirective); }.

Tests added (packages/astro/test/units/csp/runtime.test.ts): 4 new test cases covering:

1. New directive name not in existing list (failure mode 1)
2. Matching directive not first in list (failure mode 2)
3. Empty directives list
4. Single non-matching directive

All 26 CSP tests pass (10 unit + 16 integration). No regressions.

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.