Remove default CSP header content partly

[dargmuesli]

Hey, is there any way to remove the default script-src-attr from the CSP headers? I know that I can remove the 'none' value from it by settings its value to [] but that still keeps the key around, potentially making values in script-src ineffective.

[Baroshem]

Hey,

Have you tried:

  security: {
    headers: {
      contentSecurityPolicy: {
        'script-src-attr': false,
      }
    },
  }

[dargmuesli]

Yes, just verified it, script-src-attr: [] removes the header part for me :)

[dargmuesli]

Nvm, script-src-attr: [] does remove the script-src-attr part on development, but not on static build!
That's where my confusion came from.

[dargmuesli]

'script-src-attr': false actually does result in the header being removed in development as well as static build.

[dargmuesli]

I raised #286 to address this

[Baroshem]

Closing as the feature was implemented :)