diff --git a/mercurial/hgweb/request.py b/mercurial/hgweb/request.py
--- a/mercurial/hgweb/request.py
+++ b/mercurial/hgweb/request.py
@@ -473,6 +473,7 @@ class wsgiresponse(object):
                           if k.lower() not in ('date', 'etag', 'expires',
                                                'cache-control',
                                                'content-location',
+                                               'content-security-policy',
                                                'vary')}
             if badheaders:
                 raise error.ProgrammingError(
diff --git a/tests/test-hgweb-csp.t b/tests/test-hgweb-csp.t
--- a/tests/test-hgweb-csp.t
+++ b/tests/test-hgweb-csp.t
@@ -57,8 +57,8 @@ static page should send CSP when enabled
   $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
   200 Script output follows
   content-security-policy: script-src https://example.com/ 'unsafe-inline'
-  500 Internal Server Error
-  [1]
+  304 Not Modified
+  content-security-policy: script-src https://example.com/ 'unsafe-inline'
 
 repo page should send CSP by default, include etag w/o nonce