When adding in custom headers, they are sent on the first log in but the Content-Security-Policy is sent twice but at a much less strict setting. So for example, I set the CSP to be the following:
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';base-uri 'self'; frame-ancestors 'self'; font-src 'self'; frame-src 'self'
If I remove the custom headers and leave blank, the CSP that is child-src 'self' still gets returned.
So according to our security group, we should be only seeing one CSP returned back not two. It does appear that it's hard coded somewhere and getting returned back. Should the custom headers not over ride the default?
Release : 20.2
Component : PERFORMANCE MANAGEMENT INTEGRATIONS