Developer forum

Forum » CMS - Standard features » DW9 Security settings - Custom Headers - not possible to implement CSP with multiple directives.

DW9 Security settings - Custom Headers - not possible to implement CSP with multiple directives.

Kevin Steffer
Kevin Steffer
Reply

Hi - although you mention that you can implement a Content-Securty-Policy using the Custom Headers field it doesn't work since you somehow split the custom headers data on the ";"-character.

In a CSP the ";"-character must be used within the value to seperate the different directives (e.g. Content-Security-Policy: scripts-src 'self'; img-src 'self';style-src 'self'; etc)

Hence only the first directive you write is being output to the browser.

(Issue found on v9.17.4)

 


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply
This post has been marked as an answer

Hi Kevin

Yes, I can see that! I will register a bug for it.

As I understand this: https://content-security-policy.com/examples/multiple-csp-headers/ it should be possible to add multiple headers:

So that might be a workaround until a fix is ready.

BR Nicolai

Votes for this answer: 1
 
Kevin Steffer
Kevin Steffer
Reply

yeah - cool for a workaround

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Registered as devops#21709

 

You must be logged in to post in the forum