我的安全上下文如下:
<http entry-point-ref="serviceEntryPoint" pattern="/service/.*" use-expressions="true" request-matcher="regex" create-session="never">
<intercept-url pattern="/service/.*" access="hasAnyRole('ROLE_SUPER','ROLE_ADMIN')" />
<custom-filter position="TEST" ref="myCustomFilter" />
<csrf disabled="true"/>
</http>
<http auto-config="true" use-expressions="true">
<headers>
<frame-options policy="SAMEORIGIN"/>
<content-security-policy>frame-ancestors 'self'</content-security-policy>
</headers>
<intercept-url pattern="/forgot.ajax" access="permitAll" />
........
........
<csrf/>
</http>
我已将content-security-policy标记添加到其中一个http部分。我是否还需要为服务层添加content-security-policy?