httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 15:00:59 GMT
Le 11/09/2017 à 12:02, Daniel Gruno a écrit :

> You could alternately use mod_lua as an output filter.
> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
> SetOutputFilter fixupNonce # or AddOutputFilterByType
> and then in nonce.lua, you'd have:
> function fixNonce(stype, str)
>     if str:match("src=") then
>        return ("<%s%s>"):format(stype, str)
>     else
>        return ("<%s nonce-%s %s>"):format(stype, nid, str)
>     end
> end
> function nonce(r)
>     coroutine.yield()
>     -- make a random nonce ID for this session
>     nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
>      -- for each bucket, substitute script/style if internal
>      while bucket do
>            bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>            bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>            coroutine.yield(bucket)
>      end
> end

Well, I reinstalled apache with mod_lua and your code works. I mean it 
finds the scripts tags and adds the nonce. But I'm still unable to 
replicate the nonce in the header to make it work.

So if my header contains

Header set Content-Security-Policy "default-src 'self'; connect-src 
'self' ; script-src 'self' 'nonce-123456789'"

I named it nonce-123456789 to easily change it.

I have tried with this
	bucket = bucket:gsub("nonce-123456789%s", fixNonce)

But it doesn't works there.

After some Googling (I did researches with apache modify headers, apache 
set headers with lua), I tried this too

r.headers_out['Content-Security-Policy'] = "script-src 'self' 

Then I did this

function goNonce(stype, str)
	if str:match("nonce-123456789") then
		return ("%s nonce-%s %s"):format(stype, nid, str)

	while bucket do
		bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)

And a dozen of similar tries, but same results, makes nothing in the 
headers. Sorry to bother you again, but I can't see the way to do it.

Thanks again


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message