httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <humbed...@apache.org>
Subject Re: [users@httpd] CSP nonces in apache
Date Thu, 07 Sep 2017 17:53:00 GMT
On 09/07/2017 07:46 PM, Luis Speciale wrote:
> Hello;
> 
> I wanted to have CSP nonces in apache. Something like this in NGINX
> https://scotthelme.co.uk/csp-nonce-support-in-nginx/
> The idea is to generate a number, put this number in the CSP nonce (the
> header) and then replicate this number in every inline script.
> 
> So in my httpd-vhosts.conf I did this
> 
> Define numbnonce %{UNIQUE_ID}e
>            
> SubstituteInheritBefore on
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
> Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"

Quick spot-check says you should probably change '.)*)' to ').*)'
Also, the env vars need to be ${}'ed.
Assuming you want to inject nonce-foo into all non-external scripts, I
would shorten it to something like:

s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|

>     
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
> 'nonce-${numbnonce}';"
> 
> The variable appears in the headers  ('nonce-WbGA@8CoABAAADceEfUAAAAP')
> but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
> can't see why because I'm not skilled enough.
> 
> Thanks for reding me and thanks in advance for any ideas or suggestions.
> 
> Luis
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message