I recently configured Vaultwarden behind a Content Security Policy.
For Vaultwarden to work, you have to allow the execution of ‘unsafe-inline’ scripts.
At the same time this is a major security risk for the entire service.
I wonder why there’s no discussion about this because everyone should have that problem.
Probably without even realizing.
So if I put another CSP on top the two are going to be active at the same time?
Meaning that when I specify my script-src to allow unsafe-inline it will get cancelled by the Vaultwarden one (only on the Vault)?