'add_header' no longer allowed inside 'if', even though document says it is?
Daniël Mostertman
daniel at mostertman.org
Wed Feb 18 16:57:13 UTC 2015
Hi!
I'm currently running 1.7.10 mainline straight from the nginx.org
repository.
We are hosting an application that needs to be accessible to Internet
Explorer users, in addition to all other *normal* browsers.
tl;dr: I want do have an add_header inside an if {}. nginx 1.7.10 won't
let me.
I'm trying to add the following header, which WORKS JUST FINE in all
other browser but IE:
server {
...
add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";
}
In Chrome and Firefox, this works like a charm. But Internet Explorer
goes absolutely haywire on it.
According to http://content-security-policy.com/ .. Internet Explorer 10
has limited support for X-Content-Security-Policy, and no IE has support
for Content-Security-Policy.
In reality, that's not really true. I found that accessing the site with
IE11, results in a badly rendered page that could be classified as "not
working".
Remove the header, and everything works absolutely fine in IE11.
If I load the page in IE11 and hit F12, then change it to MS10
compatibility, it throws a *DNS* error. Yes, I kid you not, DNS.
Remove the header, and everything works absolutely fine in IE10
compatibility mode.
In an attempt to keep the header for all other browsers but MSIE, I
wanted to do the following instead:
server {
...
if ($http_user_agent ~ MSIE ) {
add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";
}
}
According to both http://wiki.nginx.org/IfIsEvil and
http://nginx.org/en/docs/http/ngx_http_headers_module.html (see Context
of add_header), it should be allowed inside an if.
But yet:
root:~# nginx -t
nginx: [emerg] "add_header" directive is not allowed here in
/etc/nginx/sites-enabled/webtv-test:37
nginx: configuration file /etc/nginx/nginx.conf test failed
root:~#
What am I doing wrong, if anything? And if I can avoid using "if" like
that, I'd obviously prefer that.
Kind regards,
Daniël
More information about the nginx
mailing list