Previous Message Next Message
Forum List Message List New Topic Print View
Daniël Mostertman
February 18, 2015 11:58AM
Hi!

I'm currently running 1.7.10 mainline straight from the nginx.org
repository.
We are hosting an application that needs to be accessible to Internet
Explorer users, in addition to all other *normal* browsers.

tl;dr: I want do have an add_header inside an if {}. nginx 1.7.10 won't
let me.

I'm trying to add the following header, which WORKS JUST FINE in all
other browser but IE:

server {
...

add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";

}

In Chrome and Firefox, this works like a charm. But Internet Explorer
goes absolutely haywire on it.
According to http://content-security-policy.com/ .. Internet Explorer 10
has limited support for X-Content-Security-Policy, and no IE has support
for Content-Security-Policy.

In reality, that's not really true. I found that accessing the site with
IE11, results in a badly rendered page that could be classified as "not
working".
Remove the header, and everything works absolutely fine in IE11.

If I load the page in IE11 and hit F12, then change it to MS10
compatibility, it throws a *DNS* error. Yes, I kid you not, DNS.
Remove the header, and everything works absolutely fine in IE10
compatibility mode.

In an attempt to keep the header for all other browsers but MSIE, I
wanted to do the following instead:

server {
...

if ($http_user_agent ~ MSIE ) {
add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";
}
}

According to both http://wiki.nginx.org/IfIsEvil and
http://nginx.org/en/docs/http/ngx_http_headers_module.html (see Context
of add_header), it should be allowed inside an if.
But yet:

root:~# nginx -t
nginx: [emerg] "add_header" directive is not allowed here in
/etc/nginx/sites-enabled/webtv-test:37
nginx: configuration file /etc/nginx/nginx.conf test failed
root:~#

What am I doing wrong, if anything? And if I can avoid using "if" like
that, I'd obviously prefer that.

Kind regards,

Daniël

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

'add_header' no longer allowed inside 'if', even though document says it is?

Daniël Mostertman February 18, 2015 11:58AM

Re: 'add_header' no longer allowed inside 'if', even though document says it is?

Daniël Mostertman February 18, 2015 12:04PM

Re: 'add_header' no longer allowed inside 'if', even though document says it is?

Valentin V. Bartenev February 18, 2015 12:14PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 306
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready