httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <humbed...@apache.org>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 10:02:30 GMT
On 09/11/2017 11:51 AM, Luis Speciale wrote:
> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>> As per the original article from Scott Helme that you intially
>> referred to, you will need to generate a random string yourself.
>> Something like this might help you in the right direction -
>> https://gist.github.com/earthgecko/3089509
> 
> 
> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
> variables works in the httpd config but they appear litterally in the
> content. I need an idea or a suggestion about how achieve this
> otherwise, and that's what I can't figure how.
> 
> Thanks for the answer.

You could alternately use mod_lua as an output filter.

LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType


and then in nonce.lua, you'd have:

function fixNonce(stype, str)
   if str:match("src=") then
      return ("<%s%s>"):format(stype, str)
   else
      return ("<%s nonce-%s %s>"):format(stype, nid, str)
   end
end

function nonce(r)
   coroutine.yield()
   -- make a random nonce ID for this session
   nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
    -- for each bucket, substitute script/style if internal
    while bucket do
          bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
          bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
          coroutine.yield(bucket)
    end
end



> 
> Luis
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message