[Blazor] Fix multiple CSP policies

src/Components/Server/src/Builder/ServerRazorComponentsEndpointConventionBuilderExtensions.cs

@@ -54,7 +54,20 @@ public static RazorComponentsEndpointConventionBuilder AddInteractiveServerRende
                         var original = b.RequestDelegate;
                         b.RequestDelegate = async context =>
                         {
-                            context.Response.Headers.Add("Content-Security-Policy", $"frame-ancestors {options.ContentSecurityFrameAncestorsPolicy}");
+                            if (context.Response.Headers.ContentSecurityPolicy.Count == 0)
+                            {
+                                context.Response.Headers.ContentSecurityPolicy = $"frame-ancestors {options.ContentSecurityFrameAncestorsPolicy}";
+                            }
+                            else
+                            {
+                                var result = new string[context.Response.Headers.ContentSecurityPolicy.Count + 1];
+                                for (var i = 0; i < result.Length - 1; i++)
+                                {
+                                    result[i] = context.Response.Headers.ContentSecurityPolicy[i];
+                                }
+                                result[^1] = $"frame-ancestors {options.ContentSecurityFrameAncestorsPolicy}";
+                                context.Response.Headers.ContentSecurityPolicy = result;
+                            }
                             await original(context);
                         };
                     }

src/Components/test/E2ETest/ServerExecutionTests/WebSocketCompressionTests.cs

@@ -50,6 +50,39 @@ public async Task EmbeddingServerAppInsideIframe_WorksAsync()
             Assert.DoesNotContain("Content-Security-Policy", response.Headers.Select(h => h.Key));
         }
     }
+
+    [Fact]
+    public async Task EmbeddingServerAppInsideIframe_WorksWithMultipleCspHeaders()
+    {
+        Navigate("/subdir/iframe?add-csp");
+
+        var logs = Browser.GetBrowserLogs(LogLevel.Severe);
+
+        Assert.Empty(logs);
+
+        // Get the iframe element from the page, and inspect its contents for a p element with id inside-iframe
+        var iframe = Browser.FindElement(By.TagName("iframe"));
+        Browser.SwitchTo().Frame(iframe);
+        Browser.Exists(By.Id("inside-iframe"));
+
+        using var client = new HttpClient() { BaseAddress = _serverFixture.RootUri };
+        var response = await client.GetAsync("/subdir/iframe?add-csp");
+        response.EnsureSuccessStatusCode();
+
+        if (ExpectedPolicy != null)
+        {
+            Assert.Equal(
+                response.Headers.GetValues("Content-Security-Policy"),
+                [
+                    "script-src 'self' 'unsafe-inline'",
+                    $"frame-ancestors {ExpectedPolicy}"
+                ]);
+        }
+        else
+        {
+            Assert.DoesNotContain("Content-Security-Policy", response.Headers.Select(h => h.Key));
+        }
+    }
 }
 
 public abstract partial class BlockedWebSocketCompressionTests(

src/Components/test/testassets/Components.TestServer/RazorComponentEndpointsStartup.cs

@@ -68,6 +68,16 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseRouting();
             UseFakeAuthState(app);
             app.UseAntiforgery();
+
+            app.Use((ctx, nxt) =>
+            {
+                if (ctx.Request.Query.ContainsKey("add-csp"))
+                {
+                    ctx.Response.Headers.Add("Content-Security-Policy", "script-src 'self' 'unsafe-inline'");
+                }
+                return nxt();
+            });
+
             _ = app.UseEndpoints(endpoints =>
             {
                 _ = endpoints.MapRazorComponents<TRootComponent>()