'add_header' no longer allowed inside 'if', even though document says it is?

Daniël Mostertman daniel at mostertman.org
Wed Feb 18 16:57:13 UTC 2015


Hi!

I'm currently running 1.7.10 mainline straight from the nginx.org 
repository.
We are hosting an application that needs to be accessible to Internet 
Explorer users, in addition to all other *normal* browsers.

tl;dr: I want do have an add_header inside an if {}. nginx 1.7.10 won't 
let me.

I'm trying to add the following header, which WORKS JUST FINE in all 
other browser but IE:

server {
   ...

   add_header Content-Security-Policy "
     default-src  'self' https://*.example.nl https://*.example.net;
     connect-src  'self' https://*.example.nl https://*.example.net;
     font-src     'self' data: https://*.example.nl https://*.example.net;
     script-src   'self' 'unsafe-inline' 'unsafe-eval' 
https://*.example.nl https://*.example.net;
     style-src    'self' 'unsafe-inline';
     img-src      'self' data: https://*.example.nl https://*.example.net;
     frame-src    'self';
     object-src   'self' 'unsafe-inline';
   ";

}

In Chrome and Firefox, this works like a charm. But Internet Explorer 
goes absolutely haywire on it.
According to http://content-security-policy.com/ .. Internet Explorer 10 
has limited support for X-Content-Security-Policy, and no IE has support 
for Content-Security-Policy.

In reality, that's not really true. I found that accessing the site with 
IE11, results in a badly rendered page that could be classified as "not 
working".
Remove the header, and everything works absolutely fine in IE11.

If I load the page in IE11 and hit F12, then change it to MS10 
compatibility, it throws a *DNS* error. Yes, I kid you not, DNS.
Remove the header, and everything works absolutely fine in IE10 
compatibility mode.

In an attempt to keep the header for all other browsers but MSIE, I 
wanted to do the following instead:

server {
   ...

   if ($http_user_agent ~ MSIE ) {
     add_header Content-Security-Policy "
       default-src  'self' https://*.example.nl https://*.example.net;
       connect-src  'self' https://*.example.nl https://*.example.net;
       font-src     'self' data: https://*.example.nl https://*.example.net;
       script-src   'self' 'unsafe-inline' 'unsafe-eval' 
https://*.example.nl https://*.example.net;
       style-src    'self' 'unsafe-inline';
       img-src      'self' data: https://*.example.nl https://*.example.net;
       frame-src    'self';
       object-src   'self' 'unsafe-inline';
     ";
   }
}

According to both http://wiki.nginx.org/IfIsEvil and 
http://nginx.org/en/docs/http/ngx_http_headers_module.html (see Context 
of add_header), it should be allowed inside an if.
But yet:

root:~# nginx -t
nginx: [emerg] "add_header" directive is not allowed here in 
/etc/nginx/sites-enabled/webtv-test:37
nginx: configuration file /etc/nginx/nginx.conf test failed
root:~#

What am I doing wrong, if anything? And if I can avoid using "if" like 
that, I'd obviously prefer that.

Kind regards,

Daniël



More information about the nginx mailing list