Edit Content-Security-Policy without touching the "/etc/nginx/conf.d/security.conf.inc"


is there a way to allow certain “frame-ancestors” with the “Content-Security-Policy” without doing so in the file “/etc/nginx/conf.d/security.conf.inc”?

I need to allow some specific i-frames from another (sub)domain, and it works adding the line:

more_set_headers "Content-Security-Policy: frame-ancestors https://sub.domain"

Nevertheless this means, that there is no automatic update of the config file, which only recently led me to a problem with the migration.

Thanks for your ideas!

Best Valentin

I guess you should maybe put this rather in the specific app conf file that you want this to be relevant for

Also only specifying the frame-ancestor bit is probably not what you want as that probably means “No CSP policy of all other aspects”

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.