httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 09:35:17 GMT
Le 11/09/2017 à 10:59, Daniel Gruno a écrit :
> On 09/11/2017 10:48 AM, Luis Speciale wrote:
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>> might be that you need to uppercase it to NUMBNONCE.
>> After a week trying I'm beginning to think that it can't be done the way
>> I thought. Is there a way (another, of course) to achieve this?
> It SHOULD work.
> I tested the following:
> SubstituteInheritBefore on
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything
> Define NUMBNONCE "1234"
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1  nonce-${NUMBNONCE}$2>/i"
> My HTML then showed "<script nonce-1234 ...>"

Sorry for the double post, I forgot to post to the list

Yes, I know. But I need to populate NUMBNONCE with a variable number 
which must change every hit, that's the reason why I was trying with 
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works 
only in the HTTPD config, but doesn't "exports" to the site. That's why 
I thought it can't be done the way I figured it.
I need a variable that can go out the context of the httpd

Thanks again, Daniel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message