Defining Multiple Content-Security-Policy-Report-Only in Headers

Hey all, I'm defining a _headers file for my Cloudflare page, but wanted to break up Content-Security-Policy-Report-Only over multiple lines since it is getting pretty long. I wanted to take advantage of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies and have something like
/*
Content-Security-Policy-Report-Only: default-src 'self'
Content-Security-Policy-Report-Only: worker-src 'self' blob:
/*
Content-Security-Policy-Report-Only: default-src 'self'
Content-Security-Policy-Report-Only: worker-src 'self' blob:
but Cloudflare automatically just appends the two with a , breaking the logic. Any way I can achieve this?
MDN Web Docs
Content-Security-Policy - HTTP | MDN
The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).
1 Reply
Chaika
Chaika5mo ago
That's documented behavior with no override:
If a header is applied twice in the _headers file, the values are joined with a comma separator.
Gotta be one line
Want results from more Discord servers?
Add your server