vary CSP header for HTTP and HTTPS, and secure cookies
Slightly ugly on the CSP, but a "set" followed by an "edit" didn't work, it required a second "set" to override the first.
Slightly ugly on the CSP, but a "set" followed by an "edit" didn't work, it required a second "set" to override the first.