4

I'm using nginx's expires directive; its etag directive as well as the Last-Modified header (if I understand correctly) are on by default.

In order to allow specific inline JavaScripts when using restrictive Content Security Policy (CSP) headers (i.e. no 'unsafe-inline' resource policy) I want to use nonces.

I've basically followed the article by Scott Helme on the matter, using nginx's $request_id in my trial to create the nonce as discussed on ServerFault (in order to try this quickly without having to build nginx from scratch).

When I tried this it seemed that caching no longer worked as I expected, however:
Nginx responded with the file and fresh Last-Modified and ETag headers each time, instead of the 304 Not Modified response I was hoping for.

Thinking about it, it makes sense: the nonce in the CSP header as well as in the source code changes with each request. However, nothing else changes. So, arguably, this is a change that a "weak validator" should ignore (and thus mark the requested resource as not changed).

Having said that, I know very little to nothing about server configuration, or caching headers, for that matter. Chances are the smattering of knowledge I have isn't helping, and that weak validators, for example, aren't supposed to work that way, anyway.

Additionally, there seems to be an issue that browsers get confused when they have a cached version of the file with the old nonce but get a 304 Not Modified header with a new nonce (although I haven't seen that myself in my trial).

My question is thus basically: is it possible to configure nginx so that caching works in a way where changes to the nonce only (i.e. changes that happen on the fly by text replacement) are ignored when nginx creates the Last-Modified and ETag headers (i.e. where it only looks at the file changes on disk) - effectively using what are probably weak validators?

And, assuming browser confusion is an issue, can you do something to stop it, like not return a CSP header when the server returns 304 (so as not to replace the "header" nonce the browser has by a new one that then doesn't match the "file" one)? (This is more an academic question; I suppose I could somehow try not to set the CSP header for a 304 response, maybe using the ngx_headers_more module.)

Do I effectively have the choice between using nonces or caching? Or should this work out of the box (and whatever I saw was down to something else)?

Christian
  • 141
  • 3

0 Answers0