stackoom
  简体   繁体   中英

How can i add current URL to .htaccess CSP header dynamically?

 原文  2022-05-20 21:40:57       apache/ .htaccess/ shopify/ shopify-app/ litespeed

Question

I'm currently working on Shopify app, one of their main requirement is to add an iframe-protection. here is more info

Currently, to resolve this I need the CSP to set should be in this format :

Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;

The https://shopify-dev.myshopify.com in above code should be the merchant/ requester domain.

What I tried? I created .htaccess file with following, it's not adding the dynamic url.

<IfModule mod_rewrite.c> 
RewriteEngine On 
Header set Content-Security-Policy   "frame-ancestors '%{HTTP_HOST}' 'https://admin.shopify.com';"
</IfModule>

This is what I'm getting in console:

在这里检查

1 answers

solution1
 1  2022-05-21 00:16:24

Apache

On Apache, you would need to do it like this instead:

### Apache ###

Header set Content-Security-Policy "frame-ancestors https://%{HTTP_HOST}e https://admin.shopify.com;"

Note the e after %{HTTP_HOST}e (specific syntax for mod_headers). I've also removed the single quotes (not present in the Spotify example) and included the https:// protocol.

The <IfModule> and RewriteEngine On directives are irrelevant here.

Reference:

UPDATE:

LiteSpeed

However, if you are using LiteSpeed (as opposed to Apache) you will instead need to first explicitly assign the Host header to an environment variable and use this in the Header directive instead. (Apache is able to access server variables directly using this syntax, but not LiteSpeed.)

For example:

### LiteSpeed ###

# Assign the "Host" header to an env var "HOSTNAME"
SetEnvIf Host "(.*)" HOSTNAME=$1

# Use "HOSTNAME" (env var) instead in the Header directive
Header set X-Content-Security-Policy "frame-ancestors https://%{HOSTNAME}e https://admin.shopify.com;"

Attempting to use the syntax %{HTTP_HOST} (as you originally had) on Apache would have resulted in a 500 Internal Server Error (with the error "Unrecognized header format %" being reported in the error logs). However, on LiteSpeed this just outputs the literal string {HTTP_HOST} and no error.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I rewrite this kind of URL with htaccess How can i rewrite this url with a .htaccess file? How can I change the URL in the browser by htaccess? How to append/overide .htaccess Content-Security-Policy with PHP CSP header() How can i redirect one url to another url with htaccess file? htaccess - how to capture the current rewrited url? How to add a header if the url contain any get parameter using htaccess file? How can I redirect a static url to a dynamic one via HTACCESS? How can I rewrite URL paths to query strings using .htaccess How i can Change my URL by .htaccess file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM