How to correctly set CSP?

I'm running oC 9.1 on a Debian server with Nginx, and try to modify various security settings, such as CSP, so https://observatory.mozilla.org is happy.

I set CSP headers using Nginx:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https:" always;

But fetching login page headers shows:
Content-Security-Policy:default-src 'self' 'unsafe-inline' https: # what I set in Nginx
Content-Security-Policy:default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' # what is set elsewhere, where?

Obviously I don't want 2 lines, just the first one. But where does the second comes from?
I've grep'd all oC installed code and nothing relevant showed up. Am I missing something?

Hi,

why are you messing around with the CSP? Just let ownCloud set the correct CSP (which oC is doing right) and you won't have this issue.

Hi,

Because I like to inspect how things work
I'm not saying oC did not set CSP correcly, it seems indeed correct. But I'm curious how it is set.

Hi,

if you grep through the code of ownCloud you will find the location where this is set:

Patching random places in code is problematic. See this gist for an example showing how apps can add custom Content Security Policies: https://gist.github.com/butonic/4e6d050b778866e3aa99af14d9474613

Also see the initial PR: https://github.com/owncloud/core/pull/21989#issue-129480520