16

I am setting a Content-Security-Policy header in my .htaccess file, and it has grown to be an extremely long single line, which is a bother to manage. Is there some way to break up this line into more manageable substrings?

As a trivial example, say I am setting a header like

Header set Content-Security-Policy "deafult-src http://domainA.com; script-src http://domainB.com"

I can (without obvious breaking problems) accomplish my specific case with something like

Header append Content-Security-Policy "default-src http://domainA.com;"
Header append Content-Security-Policy "script-src http://domainB.com"

but that will insert commas into the string, so I was still curious if there was a better answer that could be applied generally, without adding the additional chars to the response.

What would be ideal is if there were some concatenation character that I could use to break the string into smaller parts, like

Header set Content-Security-Policy "default-src http://domainA.com;"
\" script-src http://domainB.com"

or 

Header set Content-Security-Policy "default-src http://domainA.com;"^
" script-src http://domainB.com"

or 

Header set Content-Security-Policy "default-src http://domainA.com;"
+" script-src http://domainB.com"

Alternatively, if I could set some sort of variable and just dump their contents to do something like

a="default-src http://domainA.com;"
b=" script-src http://domainB.com"
Header set Content-Security-Policy $a$b

that would also be much more managable.

There was a similar topic that came up for nginx and the conclusion was just to live with the long lines (they were dealing with a long regex, so the append solution wouldn't have worked); Is that going to be the case for Apache as well?

Community
  • 1
MaxPRafferty
  • 273
  • 2
  • 6
  • Will Holding shift and pressing enter after each of your substrings do the trick? – StixO Jan 27 '16 at 18:32
  • @StixO No, this issue relates to how apache parses strings in conf files. Generally (usually HTML) editors will use such a shortcut to differentiate between line breaks (say,
    ) and paragraph breaks (). This will depend on the markup format being parsed, and the editor. Apache conf files are pure text, and as such have no differentiation between a line an paragraph (regardless of modifier, enter produces a single, system-dependent carriage-return character like \n or \r).     – MaxPRafferty Feb 02 '16 at 17:48

2 Answers2

19

The following should work:

 Header set Content-Security-Policy "default-src http://domainA.com; \
      script-src http://domainB.com"
Barry Pollard
  • 4,461
  • 14
  • 26
  • I tested this and got `Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration`. – kasperd Jan 27 '16 at 19:17
  • 1
    @kasperd you need to run `a2enmod headers` – MaxPRafferty Jan 27 '16 at 19:50
  • @BazzaDP Interesting! I would expect that this would cause the server to send an escaped newline, but it seems like it concats the way I would want, and is imperceptible from the clients perspective. – MaxPRafferty Jan 27 '16 at 19:58
  • 1
    Wow, actually, evidently you can escape any whitespace character this way. Confirmed working with \ as well. .htaccess will never have looked so good! – MaxPRafferty Jan 27 '16 at 20:02
  • 1
    Huh, even works to break up regex! @BazzaDP, you might want to go drop this answer on that nginx question I mentioned as well, might work there too. – MaxPRafferty Jan 27 '16 at 20:05
  • I applied backslash in a lengthy regular expression pattern in RewriteRule. I worked like a charm but next line auto tab spaces (generated by VS code) must be deleted to get it to work although. – Adeel Raza Azeemi Apr 28 '22 at 04:39
9

Yes - the backslash works as a line-continuation. This is buried within the Apache 2.4 documentation on [https://httpd.apache.org/docs/2.4/configuring.html#page-header]

Important rules:

  1. Whitespace within a line is fine, ie. any number of tabs and spaces;
  2. The last character on all lines except the final one must be a backslash;<
  3. The final line must not terminate with a backslash;
  4. The Apache comment character (#) cannot be used to comment out a line.
  5. You can not break the [flags]

If these rules are not obeyed, the server will respond with an Error 500.

Max Muster
  • 297
  • 1
  • 5
  • 26
Steve GS
  • 91
  • 1
  • 1