httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <lspeci...@gmail.com>
Subject Re: [users@httpd] CSP nonces in apache (SOLVED)
Date Mon, 11 Sep 2017 18:40:44 GMT
Le 11/09/2017 à 17:12, Daniel Gruno a écrit :

For those who wont to accept inline scripts and styles with a nonce 
according to the CSP directives.

You must reinstall your apache server with lua support.
In my Mac I had installed httpd2.4 with brew

Open
	/usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb
and add
	--enable-lua

In the args section and save it

args = %W[
...
       --enable-lua
...
     ]
Then stop and reinstall apache

	sudo apachectl stop
	brew reinstall httpd24

Edit httpd.conf and add mod_lua

	LoadModule lua_module libexec/mod_lua.so


Add this two lines in your httpd-vhosts.conf
	LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce
	SetOutputFilter fixupNonce
	

Put this text in /usr/local/var/www/nonce.lua

-- Thanks to Daniel Gruno humbedooh@apache.org who did… almost everything!
function fixNonce(stype, str)
	-- If it has a source, it's not inline
	if str:match("src=") then
		return ("<%s%s>"):format(stype, str)
	else
	-- If not, we add the nonce
		return ("<%s nonce-%s %s>"):format(stype, nid, str)
	end
end
function nonce(r)
	coroutine.yield()
	-- Make a random nonce ID for this session
	nid = r:sha1(math.random(1,999999999)..r.useragent_ip)
	-- Set the CSP headers here instead of httpd.config and give the var 
nid to nonce-
	r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; 
connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 
'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; 
object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts 
allow-popups allow-modals allow-orientation-lock allow-pointer-lock 
allow-presentation allow-popups-to-escape-sandbox; base-uri 
'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php"
	
	-- For each bucket, substitute script/style if inline
	while bucket do	
		bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
		bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
		coroutine.yield(bucket)
	end
end


And start apache.

Test it with

<!doctype html>
<html class="no-js" lang="en">
<head>
	<meta charset="utf-8">
	<title>::CSP::</title>
	<meta name="description" content="fait des sites avec SPIP">
</head>
<body>
<h5>
	Hello!
</h5>
<script>
	console.log("It Works!");
</script>
<style>	
	h5 {color:#900;}
</style>
</body>
</html>

You should have a red h5 and a console.log that confirms It works!

Et voilà!


Thanks again Daniel!

Luis



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message