httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <lspeci...@gmail.com>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 10:25:07 GMT
Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
> On 09/11/2017 11:51 AM, Luis Speciale wrote:
>> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>>> As per the original article from Scott Helme that you intially
>>> referred to, you will need to generate a random string yourself.
>>> Something like this might help you in the right direction -
>>> https://gist.github.com/earthgecko/3089509
>>
>>
>> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
>> variables works in the httpd config but they appear litterally in the
>> content. I need an idea or a suggestion about how achieve this
>> otherwise, and that's what I can't figure how.
>>
>> Thanks for the answer.
> 
> You could alternately use mod_lua as an output filter.
> 
> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
> SetOutputFilter fixupNonce # or AddOutputFilterByType
> 
> 
> and then in nonce.lua, you'd have:
> 
> function fixNonce(stype, str)
>     if str:match("src=") then
>        return ("<%s%s>"):format(stype, str)
>     else
>        return ("<%s nonce-%s %s>"):format(stype, nid, str)
>     end
> end
> 
> function nonce(r)
>     coroutine.yield()
>     -- make a random nonce ID for this session
>     nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
>      -- for each bucket, substitute script/style if internal
>      while bucket do
>            bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>            bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>            coroutine.yield(bucket)
>      end
> end
> 

I'm going to try this today and I will tell you what happens, thanks!!!!!

Luis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message