How to set a conditional Content-Security-Policy?

hal469 Tue, 27 Mar 2018 09:51:02 -0700

For my nginx server, I set a CSP header

 set $CSP '';
 set $CSP "${CSP}default-src 'self';";
 set $CSP "${CSP}script-src  'self';";
 add_header Content-Security-Policy $CSP;


For a webapp, using Symfony, the developer UI injects inline script for display 
of a "Debug Toolbar"

It's access-blocked by that^ server policy.

Changing

-       set $CSP "${CSP}script-src  'self';";
+       set $CSP "${CSP}script-src  'self' 'unsafe-inline';";

fixes the problem -- access the debug toolbar is allowed, and it's rendered.
 
But, adding the 'unsafe-inline' is certainly not ideal!

Apache has the option to create/return a CSP policy depending on Request IP:

        
https://blog.paranoidpenguin.net/2017/12/deploy-different-content-security-policies-csps-using-the-apache-if-directive/

How would the equivalent be done in nginx config?

Iiuc, there's no if/then/else construct.

Something with maps maybe?

Hal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

How to set a conditional Content-Security-Policy?

Reply via email to