Developer forum

Forum » CMS - Standard features » DW9 Security settings - Custom Headers - not possible to implement CSP with multiple directives.

DW9 Security settings - Custom Headers - not possible to implement CSP with multiple directives.

E-mail notifications
Kevin Steffer
Kevin Steffer
Reply
Posted on 21/10/2024 09:29:48

Hi - although you mention that you can implement a Content-Securty-Policy using the Custom Headers field it doesn't work since you somehow split the custom headers data on the ";"-character.

In a CSP the ";"-character must be used within the value to seperate the different directives (e.g. Content-Security-Policy: scripts-src 'self'; img-src 'self';style-src 'self'; etc)

Hence only the first directive you write is being output to the browser.

(Issue found on v9.17.4)

 


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 21/10/2024 16:42:29
Reply
This post has been marked as an answer

Hi Kevin

Yes, I can see that! I will register a bug for it.

As I understand this: https://content-security-policy.com/examples/multiple-csp-headers/ it should be possible to add multiple headers:

So that might be a workaround until a fix is ready.

BR Nicolai

Votes for this answer: 1
 
Kevin Steffer
Kevin Steffer
Posted on 21/10/2024 17:01:53
Reply

yeah - cool for a workaround

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 21/10/2024 17:22:47
Reply

Registered as devops#21709

 

You must be logged in to post in the forum