Multiple CSP headers
lode opened this issue · comments
Is it possible to send out multiple CSP headers? (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies)
When doing multiple app.use(contentSecurityPolicy({...}))
calls only the last one seems to be used.
When changing reportOnly
for each of the calls, it does send out different headers. But this seems logical since the header-key is actually changing.
No, this is not supported.
You can achieve this by setting the header yourself:
res.setHeader("Content-Security-Policy", [
"default-src 'self' http://example.com; connect-src 'none';",
"connect-src http://example.com/; script-src http://example.com/",
]);
Does that help?
Yes, I understand.
For my use case right now (multiple report-uri
s) I found it is also possible to pass an array to report-uri
. I didn't know that syntax, but it seems to work fine.
But if it won't, I'll be able to set the header manually. Tnx!
Great! I'm going to close this issue because I think your problem is resolved, but let me know if that's wrong.