Directus CSP sets `frame-src` to `https://` only

[blowsie]

Refused to frame 'http://localhost:3000/' because it violates the following Content Security Policy directive: "frame-src https://*".

Using the defaults in both the CMS and the preview, the preview does not work due to the directus CSP

[blowsie]

Seems to be confirmed, hacking the CSP headers out with a browser extension, fixes the issue.

https://community.directus.io/t/preview-issues-csp-related/869?u=blowsie