Hi everyone,

I'm using nginx/1.6.2 on a GNU/Linux Debian (Jessie) system and hosting a WordPress site.

The 'generel' CSP header I use is:
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";

But for a specific WordPress site I want to you use a different CSP header:

Right now this is my (not workding) solution:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
}
This ends in a "404 Not Found" error.


But this works:
location = /site/ {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
include /etc/nginx/conf/php5-ssl.conf;
}

But this means, that every site is getting the new CSP header.

Question is, how can I achieve to rewrite the CSP header only for the specific site?

Something like:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
try_files ???;
}

Maybe someone can help me with this one.

Cheers!

Anyone can help me with this riddle? :-)