fix: page response missing CSP and Link headers when return promise in load

[0x221A]

closes #11801

---

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

• Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

🦋 Changeset detected

Latest commit: c8eb682

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[teemingc]

Thank you for the PR. I think it's good to merge, but is it possible if we add some kind of test such as one that checks that the CSP headers are included in the server response? Maybe as an additional test in this test suite:

kit/packages/kit/test/apps/options/test/test.js

Lines 115 to 139 in 6f273fb

	test.describe('CSP', () => {
	test('blocks script from external site', async ({ page, start_server }) => {
	const { port } = await start_server((req, res) => {
	if (req.url === '/blocked.js') {
	res.writeHead(200, {
	'content-type': 'text/javascript'
	});
	res.end('window.pwned = true');
	} else {
	res.writeHead(404).end('not found');
	}
	});
	await page.goto(`/path-base/csp?port=${port}`);
	expect(await page.evaluate('window.pwned')).toBe(undefined);
	});
	test("quotes 'script'", async ({ page }) => {
	const response = await page.goto('/path-base');
	expect(response.headers()['content-security-policy']).toMatch(
	/require-trusted-types-for 'script'/
	);
	});
	});

[0x221A]

@eltigerchino sure!

[teemingc]

Thank you so much!