Is it ok to put line-breaks in add_header in nginx

2020-08-15 02:29发布

站内问答 / 前沿技术
1384 2 6

I've searched on this topic and can't find anything in the nginx configuration that says if this is "ok" or not?

This appears to work just fine, other than messing up the syntax highlighting in vim:

add_header Content-Security-Policy "default-src 'self' *.google-analytics.com;
                                     object-src 'none';
                                     report-uri /csp-report;";

But is it actually valid? Am I relying on browsers understanding line breaks inside a CSP, or does nginx render it into one line before serving it? Fiddler appears to show it as one line, but again I don't know if nginx is serving it as that or if Fiddler is interpreting it as that.

(This is obviously a much simplified version of my true CSP, which is certainly very much long enough that I consider it beneficial to my sanity to split it onto multiple lines!)

标签: nginx
举报
2条回答
Explosion°爆炸
2楼-- · 2020-08-15 02:45

You can use variable nesting like this, which still in the end creates a one liner:

set $SCRIPT "script-src 'self'";
set $SCRIPT "${SCRIPT} https://www.a.com"; # comment each line if you like
set $SCRIPT "${SCRIPT} https://b.com";
set $STYLE "style-src 'self'";
set $STYLE "${STYLE} https://a.com";
set $IMG "img-src 'self' data:";
set $IMG "${IMG} https://a.com";
set $IMG "${IMG} https://www.b.com";
set $FONT "font-src 'self' data:";
set $FONT "${FONT} https://a.com";
set $DEFAULT "default-src 'self'";
set $CONNECT "connect-src 'self'";
set $CONNECT "${CONNECT} https://www.a.com";
set $CONNECT "${CONNECT} https://www.b.com";
set $FRAME "frame-src 'self'";
set $FRAME "${FRAME} https://a.com";
set $FRAME "${FRAME} https://b.com";
add_header Content-Security-Policy "${SCRIPT}; ${STYLE}; ${IMG}; ${FONT}; ${DEFAULT}; ${CONNECT}; ${FRAME}";
查看更多
0人赞 添加讨论(0) 举报
三岁会撩人
3楼-- · 2020-08-15 02:59

Unfortunately, nginx treats the white space between the quotes literally, so as long as you begin each new line with a space or tab character, the header will remain valid.

However, it is possible to create an invalid header. For example, this produces an invalid header:

add_header Content-Security-Policy "default-src 'self' *.google-analytics.com;
object-src 'none';
report-uri /csp-report;";

The support for splitting header lines is deprecated in RFC 7230:

From RFC 7230 section 3.2.4

Historically, HTTP header field values could be extended over
multiple lines by preceding each extra line with at least one space
or horizontal tab (obs-fold). This specification deprecates such
line folding except within the message/http media type

The safest solution would be to accept that some lines in your configuration file may be very much longer than you would prefer.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)