Welcome! Log In Create A New Profile

Advanced

How to set a conditional Content-Security-Policy?

Posted by Anonymous User 
Anonymous User
How to set a conditional Content-Security-Policy?
March 27, 2018 07:00PM
For my nginx server, I set a CSP header

set $CSP '';
set $CSP "${CSP}default-src 'self';";
set $CSP "${CSP}script-src 'self';";
add_header Content-Security-Policy $CSP;

For a webapp, using Symfony, the developer UI injects inline script for display of a "Debug Toolbar"

It's access-blocked by that^ server policy.

Changing

- set $CSP "${CSP}script-src 'self';";
+ set $CSP "${CSP}script-src 'self' 'unsafe-inline';";

fixes the problem -- access the debug toolbar is allowed, and it's rendered.

But, adding the 'unsafe-inline' is certainly not ideal!

Apache has the option to create/return a CSP policy depending on Request IP:

https://blog.paranoidpenguin.net/2017/12/deploy-different-content-security-policies-csps-using-the-apache-if-directive/

How would the equivalent be done in nginx config?

Iiuc, there's no if/then/else construct.

Something with maps maybe?

Hal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: How to set a conditional Content-Security-Policy?
March 27, 2018 07:30PM
Hello!

On Tue, Mar 27, 2018 at 09:50:14AM -0700, hal469@xsmail.com wrote:

> For my nginx server, I set a CSP header
>
> set $CSP '';
> set $CSP "${CSP}default-src 'self';";
> set $CSP "${CSP}script-src 'self';";
> add_header Content-Security-Policy $CSP;
>
> For a webapp, using Symfony, the developer UI injects inline script for display of a "Debug Toolbar"
>
> It's access-blocked by that^ server policy.
>
> Changing
>
> - set $CSP "${CSP}script-src 'self';";
> + set $CSP "${CSP}script-src 'self' 'unsafe-inline';";
>
> fixes the problem -- access the debug toolbar is allowed, and it's rendered.
>
> But, adding the 'unsafe-inline' is certainly not ideal!
>
> Apache has the option to create/return a CSP policy depending on Request IP:
>
> https://blog.paranoidpenguin.net/2017/12/deploy-different-content-security-policies-csps-using-the-apache-if-directive/
>
> How would the equivalent be done in nginx config?
>
> Iiuc, there's no if/then/else construct.
>
> Something with maps maybe?

There are "if" constructs in nginx, see http://nginx.org/r/if.
On the other hand, if you want to set CSP depending on the client
IP address, it might be better idea to use "geo" instead, e.g.:

geo $csp {
default "default-src 'self'; script-src 'self';";
10.0.0.0/8 "default-src 'self'; script-src 'self' 'unsafe-inline'";
}

add_header Content-Security-Policy $csp;

See http://nginx.org/en/docs/http/ngx_http_geo_module.html for
details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Anonymous User
Re: How to set a conditional Content-Security-Policy?
March 27, 2018 08:00PM
> There are "if" constructs in nginx, see http://nginx.org/r/if.

Well I'll be darned. I'd thought "if was evil". Thx.

> On the other hand, if you want to set CSP depending on the client
> IP address, it might be better idea to use "geo" instead, e.g.:
>
> geo $csp {
> default "default-src 'self'; script-src 'self';";
> 10.0.0.0/8 "default-src 'self'; script-src 'self' 'unsafe-inline'";
> }
>
> add_header Content-Security-Policy $csp;

Works perfectly! Thx!
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login