Join GitHub today
ContentSecurityPolicy headers overwrite each other #159
It's often not allowed or recommended to have several headers with the same name. But there are situations where it is allowed or even necessary. The CSP is one of these.
Imagine a case where a main application creates a CSP and different modules also independently add their own CSPs. The framework MUST render them all separately OR do a preemptive union merge which is what the client would otherwise do. It will (hopefully) quickly become standard practice that modules provide their own CSPs.
Code to reproduce the issue
$headers = $controller->getResponse()->getHeaders(); $headers->addHeader(new ContentSecurityPolicy($someDirectives)); $headers->addHeader(new ContentSecurityPolicy($someOtherDirectives));
The expected result is a response with two CSP headers (OR a union merged CSP).
The second addition overwrites the first, the response only contains that one CSP.