CSP defined in apache conf not working when serving php files

Question

I am configuring apache csp lockdown of a site, and experienced a strange behavior when i open the same file as a php script compared to open it as a html file.

The html file is:

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta http-equiv="cache-control" content="no-cache" />
    <script TYPE="text/javascript" src="injectblob.js" nonce="NEFFZW1HYjB4SnB0b0lHRlAzTmQ="></script>
  </head>
  <body>
   here
  </body>
</html>

And the php file is:

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta http-equiv="cache-control" content="no-cache" />
    <script TYPE="text/javascript" src="injectblob.js.php" nonce="HNEFFZW1HYjB4SnB0b0lHRlAzTmQ="></script>
  </head>
  <body>
    her
  </body>
</html>

The only difference is the name of the javascript file.

The javascript file both as .js and as .js.php are:

"use strict"
var inject1=function(){
  const s = document.createElement('script');
  s.textContent = 'alert("STRING says hello")';
  s.setAttribute("type","text/javascript");
//  s.setAttribute("nonce","NEFFZW1HYjB4SnB0b0lHRlAzTmQ=");
  document.head.appendChild(s);
}

var inject2=function(){
  const s = document.createElement('script');
  const b = new Blob(['alert("BLOB says hello")'], { type: 'text/javascript' });
  const u = URL.createObjectURL(b);
  s.src = u;
  s.setAttribute("type","text/javascript");
//  s.setAttribute("nonce","NEFFZW1HYjB4SnB0b0lHRlAzTmQ=");
  document.head.appendChild(s);
}
window.onload=function(){
  inject1();
  inject2();
}

My CSP headers set in a virtual host in apache conf is:

Header add Content-Security-Policy "default-src 'self' blob: 'nonce-NEFFZW1HYjB4SnB0b0lHRlAzTmQ='"
Header add Content-Security-Policy "script-src 'self' 'nonce-NEFFZW1HYjB4SnB0b0lHRlAzTmQ='"

When it is run as html file the CSP is working, and the appropriate warnings are seen in the browser console window as "Refused to execute inline script because it violates..". But when i run the same files as php the injected scripts are run as if no CSP rules are present.

In the browser Network window clicking on the files the CSP rules are shown for the html files but not for the php files.

I know i can add the appropriate headers in php, but it would be rather convenient to only define CSP one place, and if nessesary overrule them in php when necessary, as when i want to set a sha hash in certain script tags to inject via fetch recieved encrypted/decrypted javascript.

My question is twofold.

1. Can i set CSP in apache conf, so that the rules aply to php scripts as well as html files?

2. If answer to question 1 i positive, does CSP headers set in php overrule CSP headers set in apache conf?

Answer 1

I obviously did not dig deep enough before i asked the question. The csp header part of apache virtual host conf if wraped in a directive. I had not included php in the filesMatch directive.

As for overriding apache conf with php header. It does not work. Apache is the topmost CSP!

To get the functionality mentioned in the question, I will have to combine filesMatch in apache without php in the directive, and manually include appropriate headers in php, AND be ware of ALWAYS include them in php scripts. Maybe not the safest way, but only way to do it, if i want to set a sha hash in certain script tags to inject via fetch recieved encrypted/decrypted javascript. The solution is prone to human error i know :-(