diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php
index 509faab2..abc3e244 100644
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -71,7 +71,7 @@ class Adminer {
 	}
 
 	/** Get Content Security Policy headers
-	* @return array directive name in key, allowed sources in value
+	* @return array of arrays with directive name in key, allowed sources in value
 	*/
 	function csp() {
 		return csp();
diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 63bdd772..076ca051 100644
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -93,28 +93,30 @@ function page_headers() {
 	header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
 	header("X-Content-Type-Options: nosniff");
 	header("Referrer-Policy: origin-when-cross-origin");
-	$csp = array();
-	foreach ($adminer->csp() as $key => $val) {
-		$csp[] = "$key $val";
-	}
-	if ($csp) {
-		header("Content-Security-Policy: " . implode("; ", $csp));
+	foreach ($adminer->csp() as $csp) {
+		$header = array();
+		foreach ($csp as $key => $val) {
+			$header[] = "$key $val";
+		}
+		header("Content-Security-Policy: " . implode("; ", $header));
 	}
 	$adminer->headers();
 }
 
 /** Get Content Security Policy headers
-* @return array directive name in key, allowed sources in value
+* @return array of arrays with directive name in key, allowed sources in value
 */
 function csp() {
 	return array(
-		"default-src" => "'none'",
-		"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
-		"style-src" => "'self' 'unsafe-inline'",
-		"connect-src" => "'self'",
-		"img-src" => "'self' data:",
-		"frame-src" => "https://www.adminer.org",
-		"form-action" => "'self'",
+		array(
+			"default-src" => "'none'",
+			"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
+			"style-src" => "'self' 'unsafe-inline'",
+			"connect-src" => "'self'",
+			"img-src" => "'self' data:",
+			"frame-src" => "https://www.adminer.org",
+			"form-action" => "'self'",
+		),
 	);
 }