You can insert own CSP header in each directory or individaul pages/folders using php(for example, depending on $_SERVER['REQUEST_URI'] include appropriate header for this page or folder). Why don't you use php for your purpose?
What is the point in cascading CSP?

<Directory /www/forum>
Header add

Does this format work in other situations? I'd be inclined to try a <FilesMatch> envelope inside the <Directory> envelope, so the headers are only attached to specified filetypes.

For future reference, what Apache version are you on? In the specific case of "Header add" it probably doesn't matter, but it never hurts to make sure.

Are you sure you want "add" rather than "append" or at least "merge"? The docs themselves (both 2.2 and 2.4) use the dreaded phrase "unforeseen consequences", which is never something you want to see.

Satori. The point is so that the CSP is not inefficient. Surely adding a CSP adds many bytes to the returned page. If a task is to make pages smaller / lighter (I know, were' only talking a few bytes when users have Fibre) then it's best to be optimised.

In my case I only ever want my whole site (300,000 pages) to have 'self'. But on just one checkout page I need to allow paypalobjects. It would therefore make sense to have self as the default for all pages and then for just that single page self, paypalobjects because there is no point in adding paypalobjects to 299,999 pages that dont need it.

Using the PHP header would be slightly inefficient too as you are then adding a few extra cycles for each page. I'm a stickler for efficiency and I was hoping httpd.conf or a .htaccess or a meta tags would over-ride the master but it does not.

Lucy24. It's the latest 2.4 branch.

Add, append, or overwrite it does not matter. Here's the flow:

If the page is * then server CSP allow for self only
If the page is checkout then allow self, paypalobjects
If the page is searchpage then allow self, googleapis
If the page is in the /forum/ directory then allow self, youtube, and images *

It's pretty much similar to having different .css files loaded for specific pages / folders.

I can not believe that CSP is such a blunt tool. Surely there should be a mechanism to do what I require. Surely other sites require the same thing?

Frank_Rizzo. You can set up htaccess. for each directory and folder. If folder doesn't contain own htaceess then it is used general htaccess. If all pages use general htaccess. not from it's own folder - it was closed in httpd.comf by AllowOverride Directive. By default it open. Httpd look in every directory/folder for .htaccess files
Put specific CSP header in folder's htaccess. - you get specific CSP for pages from this directive only. Rest of all pages server get CSP headers from general htaccess.

You can set up htaccess for each directory and folder

Yes, of course. But I can't think offhand of any directive that would work in .htaccess but not in a <Directory> section of the config file, which is where the question started.

A CSP checking tool was just referenced in Webmaster General [webmasterworld.com...] that might help checking these settings.

I was just bumping this thread to see whether you were able to get per directory/file CSP working. Most of the discussion I've seen about this focused on httpd.conf, but I can certainly see the benefit of making specific allowances for special CSP for only certain parts of your site.