Apply @wreiske suggestions

packages/browser-policy-content/browser-policy-content.js

@@ -1,7 +1,3 @@
-var isEmpty = Npm.require('lodash.isempty');
-var has = Npm.require('lodash.has');
-var union = Npm.require('lodash.union');
-
 // By adding this package, you get the following default policy:
 // No eval or other string-to-code, and content can only be loaded from the
 // same origin as the app (except for XHRs and websocket connections, which can
@@ -79,7 +75,7 @@ var parseCsp = function (csp) {
   Object.entries(cspSrcs).forEach(function (entry) {
     var directive = entry[0];
     var sources = entry[1];
-    cspSrcs[directive] = union(sources || [], cspSrcs["default-src"] || []);
+    cspSrcs[directive] = [...new Set([...(sources || []), ...(cspSrcs["default-src"] || [])])];
   });
 };
 
@@ -94,7 +90,7 @@ var removeCspSrc = function (directive, src) {
 var prepareForCspDirective = function (directive) {
   cspSrcs = cspSrcs || {};
   cachedCsp = null;
-  if (!has(cspSrcs, directive))
+  if (!(directive in cspSrcs))
     cspSrcs[directive] = [].concat(cspSrcs["default-src"]);
 };
 
@@ -162,7 +158,7 @@ Object.assign(BrowserPolicy.content, {
   },
   // Exported for tests and browser-policy-common.
   _constructCsp: function () {
-    if (! cspSrcs || isEmpty(cspSrcs))
+    if (! cspSrcs || (Object.keys(cspSrcs).length === 0 && cspSrcs.constructor === Object))
       return null;
 
     if (cachedCsp)

packages/browser-policy-content/package.js

@@ -3,12 +3,6 @@ Package.describe({
   version: "1.1.2"
 });
 
-Npm.depends({
-  'lodash.isempty': '4.4.0',
-  'lodash.has': '4.5.2',
-  'lodash.union': '4.6.0'
-});
-
 Package.onUse(function (api) {
   api.use("ecmascript");
   api.use(["browser-policy-common", "webapp"], "server");