https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies it is possible to split the header content into many headers with the same name

dang I was looking if this is possible

thanks @U04V4KLKC I will try it out

hmm I’m possibly doing something wrong

but it seems like only the default-src is read

trying this next: https://serverfault.com/a/854238

turns out that extra headers can only further restrict, this is why I can’t have multiple in effect

I'm not sure I follow) could you tell more what are trying to get at the end?

I have a really big policy (lots of 3rd party content we link to)

so very soon it will not be able to fit in this nginx config buffer allocations: https://github.com/nginx/nginx/blob/master/src/core/ngx_conf_file.c#L11

what you suggested could have worked if it was all in the same default-src fetch directive

I could be doing something wrong, but what I see is the extra policies I’ve set are ignored and it is falling back to default-src:

I get errors like ” Note that ‘font-src’ was not explicitly set, so ‘default-src’ is used as a fallback.”

is the origin of font file the same as the origin of response? self means: allow if the font is loaded from the same host as the page itself.

there are further origins I specify afterwards

it seems to not see any of the policy as it says its not explicitly set

yeah probably self should be removed, but it hasn’t caused us issues so far

I don't have enough experience configuring CSP headers, sorry

After seeing so many posts like this one and also trying it for a bit myself only to see it fail spectacularly, I'm sticking to Wiki and random blog posts for the time being.

As that 3.5 or 4? 4 seems to be quite a bit more reliable:

Even better with plugins!

Now try asking it what the correct RegEx for parsing emails is. :) But this already might be in the zeitgeist, not sure.

Pretty good response

If 5 is to 4 as 4 is to 3, we may all be able to pack up and enjoy our obsolescence.

How do you know if it's 3.5 or 4. I just go to openai and click try chatgpt

You have to use the pro feature or the API and request access to 4. It's quite a bit slower, but much smarter.

@U066ZAMBJ "For most practical purposes" - that's what I'm talking about. It cannot come up with a correct and complete answer. At the very least, there are quite a few characters that should be allowed that that RegEx doesn't let through (assuming, I myself read that RFC correctly). And I wouldn't be surprised if the RegEx lets through some stuff that shouldn't be. "It's a trade-off" - yeah, nah. It's a trade-off if you have to think come up with a RegEx yourself. It's not a trade-off when there already is a solution in the form of some library.

Not entirely related, but I recently got bitten by it - because, while the main Apple account accepts + in email addresses just fine, some specific services do not. Wasn't fun to work around that one.

GPT is still a language model and not a knowledge model. It creates text in the first place, not neccessarly correct text. ;-)