CSP settings work incorrectly when application is using resource from another app

I have encountered the following problem, which I believe is a bug.

I have application A which uses web block from application B. The web block is an iframe with custom html inside. This html is a resource deployed with application B, so that it gets its URL in application folder.

The problem I had was that the html didn't work because of environmental CSP settings in LifeTime. I have overridden the settings on application level for both applications A and B and republished them both several times, but the settings were still taken from the environment, so it still didn't work. Those settings come in the headers, and I have noticed that they were correct for the screen itself, but incorrect (outdated, taken from environment) for the custom HTML in the iframe. However, when I opened the URL of that HTML directly - they were also correct. Then I copied the web block and resource to application A without any changes - and it started working.

So it seems the problem occurs only when the resource lies in the module different from the screen which uses it. Even though the application is set up correctly, those settings are ignored.

Solution

Strange, but it started working after I removed the settings from application A. So it looks like it created a conflict between two settings, and fell back to not using any of them at all. Very strange, but glad it's working. I'm only worried what if I (or somebody else) would need to change those settings for application A for another reason...

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.