How to set a conditional Content-Security-Policy?
hal469 at xsmail.com
hal469 at xsmail.com
Tue Mar 27 16:50:14 UTC 2018
For my nginx server, I set a CSP header
set $CSP '';
set $CSP "${CSP}default-src 'self';";
set $CSP "${CSP}script-src 'self';";
add_header Content-Security-Policy $CSP;
For a webapp, using Symfony, the developer UI injects inline script for display of a "Debug Toolbar"
It's access-blocked by that^ server policy.
Changing
- set $CSP "${CSP}script-src 'self';";
+ set $CSP "${CSP}script-src 'self' 'unsafe-inline';";
fixes the problem -- access the debug toolbar is allowed, and it's rendered.
But, adding the 'unsafe-inline' is certainly not ideal!
Apache has the option to create/return a CSP policy depending on Request IP:
https://blog.paranoidpenguin.net/2017/12/deploy-different-content-security-policies-csps-using-the-apache-if-directive/
How would the equivalent be done in nginx config?
Iiuc, there's no if/then/else construct.
Something with maps maybe?
Hal
More information about the nginx
mailing list