From c01ad1e37c964df0108c37da4dd32af4630df95e Mon Sep 17 00:00:00 2001
From: Evan Hahn <me@evanhahn.com>
Date: Thu, 6 Aug 2020 15:52:22 -0500
Subject: [PATCH] Content-Security-Policy: add missing changelog note about
 functions as directive values

---
 CHANGELOG.md                                     | 1 +
 middlewares/content-security-policy/CHANGELOG.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fe309471..db5781e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@
   - Removed a lot of checks—you should be checking your CSP with a different tool
   - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
   - Removed the `loose` option
+  - Removed support for functions as directive values. You must supply an iterable of strings
 - `helmet.frameguard`:
   - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
 - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://github.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://github.com/helmetjs/helmet/issues/224).
diff --git a/middlewares/content-security-policy/CHANGELOG.md b/middlewares/content-security-policy/CHANGELOG.md
index 87124383..881c0792 100644
--- a/middlewares/content-security-policy/CHANGELOG.md
+++ b/middlewares/content-security-policy/CHANGELOG.md
@@ -21,6 +21,7 @@
 - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
 - Dropped support for old Node versions. Node 10+ is now required
 - Removed the `loose` option
+- Removed support for functions as directive values. You must supply an iterable of strings
 - Removed the `disableAndroid` option
 
 ## 2.9.5 - 2020-02-22