CSP header is applied on a per-page-basis and for AJAX response applied by the context that performed the fetch

public/api.php

@@ -38,9 +38,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
             
             // set http header
             header("HTTP/1.0 404 Not Found");
-            
-            // forbid browser to load javascript from an external location
-            header("Content-Security-Policy: script-src 'self'");
 
             // prevent caching explicitly
             header("Expires: -1");
@@ -49,9 +46,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
             // set http header
             header("HTTP/1.0 200 OK");
             
-            // forbid browser to load javascript from an external location
-            header("Content-Security-Policy: script-src 'self'");
-            
             // set content-type and charset
             header('Content-Type: application/x-json-encrypted; charset=utf-8');
 
@@ -94,9 +88,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
             // set http header
             header("HTTP/1.0 200 OK");
             
-            // strict transport security header
-            header("Strict-Transport-Security: max-age=31536000");
-            
             // set content-type and charset
             header('Content-Type: application/x-json-encrypted; charset=utf-8');
 
@@ -129,9 +120,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
     default:
         // set http header
         header("HTTP/1.0 400 Bad Request");
-        
-        // forbid browser to load javascript from an external location
-        header("Content-Security-Policy: script-src 'self'");
 
         // prevent caching explicitly
         header("Expires: -1");