FEATURE: allow extending CSP base-uri and object-src

Plus, ensure :none is stripped, it cannot be combined with other sources

lib/content_security_policy/builder.rb

@@ -4,13 +4,14 @@ require_dependency 'content_security_policy/default'
 class ContentSecurityPolicy
   class Builder
     EXTENDABLE_DIRECTIVES = %i[
+      base_uri
+      object_src
       script_src
       worker_src
     ].freeze
 
     # Make extending these directives no-op, until core includes them in default CSP
     TO_BE_EXTENDABLE = %i[
-      base_uri
       connect_src
       default_src
       font_src
@@ -20,7 +21,6 @@ class ContentSecurityPolicy
       img_src
       manifest_src
       media_src
-      object_src
       prefetch_src
       style_src
     ].freeze
@@ -65,6 +65,8 @@ class ContentSecurityPolicy
       else
         @directives[directive] << sources
       end
+
+      @directives[directive].delete(:none) if @directives[directive].count > 1
     end
 
     def extendable?(directive)

spec/fixtures/plugins/csp_extension/plugin.rb

@@ -4,5 +4,6 @@
 # authors: xrav3nz
 
 extend_content_security_policy(
-  script_src: ['https://from-plugin.com']
+  script_src: ['https://from-plugin.com'],
+  object_src: ['https://test-stripping.com']
 )

spec/lib/content_security_policy_spec.rb

@@ -111,6 +111,8 @@ describe ContentSecurityPolicy do
 
     plugin.enabled = true
     expect(parse(policy)['script-src']).to include('https://from-plugin.com')
+    expect(parse(policy)['object-src']).to include('https://test-stripping.com')
+    expect(parse(policy)['object-src']).to_not include("'none'")
 
     plugin.enabled = false
     expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')