Modifying site.preview.contentSecurityPolicy in com.enonic.xp.admin.cfg has no effect

**Enonic version:**7.14.4
OS: macOS 14.5 (23F79)

Ive tried to both modify and disable site.preview.contentSecurityPolicy, but i dosent seem to affect anything. Im using Content Studio, clicking preview, opening new tab, the page is trying to do a client side request to an api. This fails:

Network tab:
https://foo.bar/fault-codes/lookup/?info=1&instance=0&condition=0 (blocked:csp) xhr index.js:27

So Im wondering why the headers of my page still looks like this:


Even though site.preview.contentSecurityPolicy is set to nothing? Am I missing something?

Figured this one out! The app “Security Headers” is installed. Its overriding the .cfg.

2 Likes