在nginx配置中将换行符放入add_header可以吗? [英] Is it ok to put line-breaks in add_header in nginx configuration?

问题描述

我已经搜索了这个主题，但是在nginx配置中找不到表明确定"的任何内容?

I've searched on this topic and can't find anything in the nginx configuration that says if this is "ok" or not?

除了搞乱vim中突出显示的语法外，这似乎还不错:

This appears to work just fine, other than messing up the syntax highlighting in vim:

add_header Content-Security-Policy "default-src 'self' *.google-analytics.com;
                                     object-src 'none';
                                     report-uri /csp-report;";

但是它实际上有效吗?我是依靠浏览器来了解CSP中的换行符吗，还是nginx在提供它之前将其换成一行? Fiddler似乎将其​​显示为一行，但是我也不知道nginx是作为它提供服务还是Fiddler是将其解释为服务.

But is it actually valid? Am I relying on browsers understanding line breaks inside a CSP, or does nginx render it into one line before serving it? Fiddler appears to show it as one line, but again I don't know if nginx is serving it as that or if Fiddler is interpreting it as that.

(这显然是我真正的CSP的简化版本，它肯定足够长，以至于我认为将其分成多行有益于我的理智！)

(This is obviously a much simplified version of my true CSP, which is certainly very much long enough that I consider it beneficial to my sanity to split it onto multiple lines!)

推荐答案

不幸的是，nginx照原样处理引号之间的空白，因此，只要您以空格或制表符开头的每一行，标题将保持有效.

Unfortunately, nginx treats the white space between the quotes literally, so as long as you begin each new line with a space or tab character, the header will remain valid.

但是，可以创建一个无效的标题.例如，这将产生无效的标头:

However, it is possible to create an invalid header. For example, this produces an invalid header:

add_header Content-Security-Policy "default-src 'self' *.google-analytics.com;
object-src 'none';
report-uri /csp-report;";

在RFC 7230中不赞成使用分割标题行:

The support for splitting header lines is deprecated in RFC 7230:

来自 RFC 7230第3.2.4节

从历史上看，HTTP标头字段值可以扩展到
多行，请在每条额外行的前面加上至少一个空格
或水平制表符(折叠).本规范不赞成使用此类
行折叠，但在message/http媒体类型中除外

Historically, HTTP header field values could be extended over
multiple lines by preceding each extra line with at least one space
or horizontal tab (obs-fold). This specification deprecates such
line folding except within the message/http media type

最安全的解决方案是接受配置文件中的某些行可能比您希望的长得多.

The safest solution would be to accept that some lines in your configuration file may be very much longer than you would prefer.

这篇关于在nginx配置中将换行符放入add_header可以吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！