click
167
4
Servers

Overwrite Nginx Content-Security-Policy within PHP?

Posted 1 month ago by click

Hello,

I'm wondering if it possible to overwrite the Content-Security-Policy configured in an Nginx configuration from within PHP (Laravel).

Currently I'm unable to do so and I can't find anything about it on the web if this is even possible or not.

Nginx config

add_header Content-Security-Policy "default-src 'self'";

PHP

Route::get('wiki', function(){
    return response('<iframe src="https://www.wikipedia.org"></iframe>')->withHeaders([
        'Content-Security-Policy' => 'default-src https://www.wikipedia.org',
    ]);
});

Response

content-security-policy: default-src https://www.wikipedia.org
content-security-policy: default-src 'self'

Result Wikipedia is not loaded in the iframe. If I change the nginx config to: default-src https://www.wikipedia.org wikipedia is loaded into the iframe.

Anyone that has experience with this? Is it even possible to overwrite CSP headers from within PHP if they are already set.

Thanks

Please sign in or create an account to participate in this conversation.

Reply to

Use Markdown with GitHub-flavored code blocks.