adobe · andreituicu · Feb 11, 2025 · Feb 11, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -57,7 +57,6 @@
     "mdast-util-to-string": "4.0.0",
     "micromark-util-subtokenize": "2.0.4",
     "mime": "4.0.6",
-    "parse5-html-rewriting-stream": "7.0.0",
     "rehype-format": "5.0.1",
     "rehype-parse": "9.0.1",
     "remark-parse": "11.0.0",

diff --git a/src/html-pipe.js b/src/html-pipe.js
@@ -149,7 +149,6 @@ export async function htmlPipe(state, req) {
 
     if (state.content.sourceBus === 'code' || state.info.originalExtension === '.md') {
       state.timer?.update('serialize');
-      await setCustomResponseHeaders(state, req, res);
       await renderCode(state, req, res);
     } else {
       state.timer?.update('parse');
@@ -166,14 +165,14 @@ export async function htmlPipe(state, req) {
       await createPictures(state);
       await extractMetaData(state, req);
       await addHeadingIds(state);
-      await setCustomResponseHeaders(state, req, res);
       await render(state, req, res);
       state.timer?.update('serialize');
       await tohtml(state, req, res);
       await applyMetaLastModified(state, res);
     }
 
     setLastModified(state, res);
+    await setCustomResponseHeaders(state, req, res);
     await setXSurrogateKeyHeader(state, req, res);
   } catch (e) {
     res.error = e.message;

diff --git a/src/steps/csp.js b/src/steps/csp.js
diff --git a/src/steps/fetch-404.js b/src/steps/fetch-404.js
@@ -10,7 +10,6 @@
  * governing permissions and limitations under the License.
  */
 import { extractLastModified, recordLastModified } from '../utils/last-modified.js';
-import { contentSecurityPolicyOnCode } from './csp.js';
 import { computeContentPathKey, computeCodePathKey } from './set-x-surrogate-key-header.js';
 
 /**
@@ -35,7 +34,6 @@ export default async function fetch404(state, req, res) {
 
     // keep 404 response status
     res.body = ret.body;
-    contentSecurityPolicyOnCode(state, res);
     res.headers.set('last-modified', ret.headers.get('last-modified'));
     res.headers.set('content-type', 'text/html; charset=utf-8');
   }

diff --git a/src/steps/render-code.js b/src/steps/render-code.js
@@ -10,9 +10,6 @@
  * governing permissions and limitations under the License.
  */
 import mime from 'mime';
-import {
-  contentSecurityPolicyOnCode,
-} from './csp.js';
 
 const CHARSET_RE = /charset=([^()<>@,;:"/[\]?.=\s]*)/i;
 
@@ -35,6 +32,4 @@ export default async function renderCode(state, req, res) {
     }
   }
   res.headers.set('content-type', contentType);
-
-  contentSecurityPolicyOnCode(state, res);
 }
diff --git a/src/steps/render.js b/src/steps/render.js
@@ -15,7 +15,6 @@ import { h } from 'hastscript';
 import { unified } from 'unified';
 import rehypeParse from 'rehype-parse';
 import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import { contentSecurityPolicyOnAST } from './csp.js';
 
 function appendElement($parent, $el) {
   if ($el) {
@@ -103,7 +102,6 @@ export default async function render(state, req, res) {
     const $headHtml = await unified()
       .use(rehypeParse, { fragment: true })
       .parse(headHtml);
-    contentSecurityPolicyOnAST(res, $headHtml);
     $head.children.push(...$headHtml.children);
   }