If user-supplied input was passed into append/override_content_security_policy_directives,
a semicolon could be injected leading to directive injection.

This could be used to e.g. override a script-src directive. Duplicate directives are ignored
and the first one wins. The directives in secure_headers are sorted alphabetically so they
pretty much all come before script-src. A previously undefined directive would receive a value
even if SecureHeaders::OPT_OUT was supplied.

The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
when this happens. This will result in innocuous browser console messages if being
exploited/accidentally used. In future releases, we will raise application errors resulting in
500s.

> Duplicate script-src directives detected. All but the first instance will be ignored.

See https://www.w3.org/TR/CSP3/#parse-serialized-policy

> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
> ignored. A console warning might be appropriate, for example.

Workarounds

If you are passing user input into the above methods, you could filter out the input:

override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])