Hi!
I'm currently running 1.7.10 mainline straight from the nginx.org
repository.
We are hosting an application that needs to be accessible to Internet
Explorer users, in addition to all other *normal* browsers.
tl;dr: I want do have an add_header inside an if {}. nginx 1.7.10 won't
let me.
I'm trying to add the following header, which WORKS JUST FINE in all
other browser but IE:
server {
...
add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";
}
In Chrome and Firefox, this works like a charm. But Internet Explorer
goes absolutely haywire on it.
According to http://content-security-policy.com/ .. Internet Explorer 10
has limited support for X-Content-Security-Policy, and no IE has support
for Content-Security-Policy.
In reality, that's not really true. I found that accessing the site with
IE11, results in a badly rendered page that could be classified as "not
working".
Remove the header, and everything works absolutely fine in IE11.
If I load the page in IE11 and hit F12, then change it to MS10
compatibility, it throws a *DNS* error. Yes, I kid you not, DNS.
Remove the header, and everything works absolutely fine in IE10
compatibility mode.
In an attempt to keep the header for all other browsers but MSIE, I
wanted to do the following instead:
server {
...
if ($http_user_agent ~ MSIE ) {
add_header Content-Security-Policy "
default-src 'self' https://*.example.nl https://*.example.net;
connect-src 'self' https://*.example.nl https://*.example.net;
font-src 'self' data: https://*.example.nl https://*.example.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://*.example.nl https://*.example.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://*.example.nl https://*.example.net;
frame-src 'self';
object-src 'self' 'unsafe-inline';
";
}
}
According to both http://wiki.nginx.org/IfIsEvil and
http://nginx.org/en/docs/http/ngx_http_headers_module.html (see Context
of add_header), it should be allowed inside an if.
But yet:
root:~# nginx -t
nginx: [emerg] "add_header" directive is not allowed here in
/etc/nginx/sites-enabled/webtv-test:37
nginx: configuration file /etc/nginx/nginx.conf test failed
root:~#
What am I doing wrong, if anything? And if I can avoid using "if" like
that, I'd obviously prefer that.
Kind regards,
Daniël
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
