I need to attach 2 different Security Response Headers to a single Cloudfront Distribution via multiple behaviours.
The requirement is -
1st Response header will contain static 'connect-src' URL's which are applicable to all stacks.
2nd Response header will contain the project specific 'connect-src' URL.
Below are my security header policies -
Policy with Static URLs
default-src 'self' 'unsafe-eval' 'unsafe-inline' *.xyz.com *.abc.com *.abc-xyz.com login.microsoftonline.com; object-src 'self' data: 'unsafe-eval'; font-src 'self' *.abc.com *.abc-xyz.com data: fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google-analytics.com ajax.googleapis.com *.api.splkmobile.com login.microsoftonline.com *.abc-xyz.com; img-src 'self' data: *.xyz.com *.aiam-dh.com *.abc.com *.abc-xyz.com www.google-analytics.com ajax.googleapis.com *.api.splkmobile.com *.tile.openstreetmap.org tiles.wmflabs.org login.microsoftonline.com *.basemaps.cartocdn.com *.splunk.com images.squarespace-cdn.com; connect-src 'self' data: *.abc.com *.api.splkmobile.com login.microsoftonline.com wss://*.abc.com:* wss://*.xyz.com:* wss://*.jkl.com:* wss://*.atrxyz.com:* https://*.abc.com:* https://*.xyz.com:* https://*.jkl.com:* https://*.atrxyz.com:* https://my-static-url.execute-api.us-east-1.amazonaws.com/qa/auth https://my-static-url.execute-api.us-east-1.amazonaws.com/qa/userInfo https://my-static-url.execute-api.us-east-1.amazonaws.com/qa/refresh https://my-static-url.execute-api.us-east-1.amazonaws.com/qa/logout; upgrade-insecure-requests; block-all-mixed-content; frame-src 'self' data: *.abc.com https://authpd.xyz.abc.com;
Policy with project specific URL
default-src 'self' 'unsafe-eval' 'unsafe-inline' *.xyz.com *.abc.com *.abc-xyz.com login.microsoftonline.com; object-src 'self' data: 'unsafe-eval'; font-src 'self' *.abc.com *.abc-xyz.com data: fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google-analytics.com ajax.googleapis.com *.api.splkmobile.com login.microsoftonline.com *.abc-xyz.com; img-src 'self' data: *.xyz.com *.aiam-dh.com *.abc.com *.abc-xyz.com www.google-analytics.com ajax.googleapis.com *.api.splkmobile.com *.tile.openstreetmap.org tiles.wmflabs.org login.microsoftonline.com *.basemaps.cartocdn.com *.splunk.com images.squarespace-cdn.com; connect-src 'self' data: *.abc.com *.api.splkmobile.com login.microsoftonline.com wss://*.abc.com:* wss://*.xyz.com:* wss://*.jkl.com:* wss://*.atrxyz.com:* https://*.abc.com:* https://*.xyz.com:* https://*.jkl.com:* https://*.atrxyz.com:* https://my-project-url.execute-api.us-east-1.amazonaws.com/en/graphql; upgrade-insecure-requests; block-all-mixed-content; frame-src 'self' data: *.abc.com https://authpd.xyz.abc.com;
But when I attach the two policies as different behaviours under a single distribution, I get the error message -
Refused to connect to 'https://my-dynamic-url.execute-api.us-east-1.amazonaws.com/en/graphql' because it violates the document's Content Security Policy.
I also tried changing the order of these behaviours and I get this error message:
Refused to connect to 'https://my-static-url.execute-api.us-east-1.amazonaws.com/qa/auth' because it violates the following Content Security Policy directive: "connect-src 'self' data: *.abc.com *.api.splkmobile.com login.microsoftonline.com wss://*.abc.com:* wss://*.xyz.com:* wss://*.jkl.com:* wss://*.abc-xyz.com:* https://*.abc.com:* https://*.xyz.com:* https://*.jkl.com:* https://*.abc-xyz.com:* https://my-dynamic-url.execute-api.us-east-1.amazonaws.com/en/graphql".
Is there a way to implement what I am trying or do I have to rely on creating a combined response header for each project? I want to avoid this so that if in the future, I need to update or modify my static urls, I just need to modify a single response header instead of all created for multiple projects.