I'm running oC 9.1 on a Debian server with Nginx, and try to modify various security settings, such as CSP, so https://observatory.mozilla.org is happy.
I set CSP headers using Nginx:add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https:" always;
But fetching login page headers shows:Content-Security-Policy:default-src 'self' 'unsafe-inline' https: # what I set in Nginx
Content-Security-Policy:default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' # what is set elsewhere, where?
Obviously I don't want 2 lines, just the first one. But where does the second comes from?
I've grep'd all oC installed code and nothing relevant showed up. Am I missing something?