Hello Team,
We have been trying to add a Content-Security-Policy (CSP) response header in our Scripted REST API by using the response.setHeader() method. However, the configured value is not being reflected in the browser — it always shows only frame-ancestors 'self'.
Is there any known limitation in ServiceNow for setting this response header?
For reference, our instance version is Xanadu.
We would appreciate your assistance in understanding this behavior and helping us resolve it.
