avoid modifying settings['headers'] in add_default_headers

Use a copy to avoid writing content security policy into settings['headers'],
which can be a problem because APIHandlers have a stricter CSP than page handlers.

If an API request is made before the first page request, pages will fail to load due to CSP violations.

notebook/base/handlers.py

@@ -68,13 +68,14 @@ class AuthenticatedHandler(web.RequestHandler):
         ])
 
     def set_default_headers(self):
-        headers = self.settings.get('headers', {})
+        headers = {}
+        headers.update(self.settings.get('headers', {}))
 
         if "Content-Security-Policy" not in headers:
             headers["Content-Security-Policy"] = self.content_security_policy
-
+        
         # Allow for overriding headers
-        for header_name,value in headers.items() :
+        for header_name, value in headers.items():
             try:
                 self.set_header(header_name, value)
             except Exception as e: