CSP: clean up getDefaultDirectives

1. `getDefaultDirectives` is now faster, avoiding `structuredClone`.

2. We don't need to call `getDefaultDirectives`.

middlewares/content-security-policy/index.ts

@@ -39,10 +39,7 @@ interface ContentSecurityPolicy {
 
 const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc");
 
-const DEFAULT_DIRECTIVES: Record<
-  string,
-  Iterable<ContentSecurityPolicyDirectiveValue>
-> = {
+const DEFAULT_DIRECTIVES: Record<string, string[]> = {
   "default-src": ["'self'"],
   "base-uri": ["'self'"],
   "font-src": ["'self'", "https:", "data:"],
@@ -68,7 +65,19 @@ const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
   "wasm-unsafe-eval",
 ]);
 
-const getDefaultDirectives = () => structuredClone(DEFAULT_DIRECTIVES);
+const getDefaultDirectives = (): Record<
+  string,
+  Iterable<ContentSecurityPolicyDirectiveValue>
+> => {
+  const result: Record<
+    string,
+    Iterable<ContentSecurityPolicyDirectiveValue>
+  > = {};
+  for (const [key, value] of Object.entries(DEFAULT_DIRECTIVES)) {
+    result[key] = value.concat();
+  }
+  return result;
+};
 
 const dashify = (str: string): string =>
   str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
@@ -93,9 +102,7 @@ const invalidDirectiveValueError = (directiveName: string): Error =>
 function normalizeDirectives(
   options: Readonly<ContentSecurityPolicyOptions>,
 ): NormalizedDirectives {
-  const defaultDirectives = getDefaultDirectives();
-
-  const { useDefaults = true, directives: rawDirectives = defaultDirectives } =
+  const { useDefaults = true, directives: rawDirectives = DEFAULT_DIRECTIVES } =
     options;
 
   const result: NormalizedDirectives = new Map();
@@ -176,7 +183,7 @@ function normalizeDirectives(
   }
 
   if (useDefaults) {
-    Object.entries(defaultDirectives).forEach(
+    Object.entries(DEFAULT_DIRECTIVES).forEach(
       ([defaultDirectiveName, defaultDirectiveValue]) => {
         if (
           !result.has(defaultDirectiveName) &&