Login/Register
Why CloudFront not deliver content-security-policy set in ResponseHeadersPolicy (2022)
Asked Answered
Solved amazon-web-servicesamazon-cloudfront
M

1

0

Amazon says we can use CloudFront Response Headers Policies to set a Content Security Policy for a static/Angular web bundle served from S3 bucket.

To that end, I defined a policy (to allow src-style 'unsafe-inline'): enter image description here

And attached it to my distribution: enter image description here

CloudFront console and API queries all confirm the policy is linked; But when I access the content (curl or Chrome), the header still contains:

content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'

(so Chrome rejects the style elements)

Cacheing is disabled.

I know CF has the updated policy: I can set an alternate custom header on the origin (which works) and when I replace that with the CSP, the X-diddle header disappears, but the CSP does not replace it!) TTBOMK there is no meta-data coming from the S3-Origin (but we say override, anyway)

What can I do to provoke CF to send the designated content-security-policy?

Mckay answered 16/9, 2022 at 23:20 Comment(0)
M
2

Ok. never mind: There was a CloudFront function attached to the distributions which interpose on the Response and that function was setting the content-security-policy

Mckay answered 17/9, 2022 at 0:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.