Changing configuration option cspScript has no effect
Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
Summary
Changing configuration option cspScript has no effect
In manager General Parameters > Advanced Parameters > Security > Content security policy, changing 'script source' value has no effect since it's absent from http headers. I had to change 'default value' instead Here is the value I get in portal page response headers:
Content-Security-Policy: default-src 'self' 'unsafe-eval';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
As you can see 'script-src' is missing.