httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mitchell Krog Photography <mitchellk...@gmail.com>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 09:38:20 GMT
As per the original article from Scott Helme that you intially referred to, you will need to
generate a random string yourself.
Something like this might help you in the right direction - https://gist.github.com/earthgecko/3089509



From: Luis Speciale <lspeciale@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>, lspeciale@gmail.com <lspeciale@gmail.com>
Date: 11 September 2017 at 11:35:17 AM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  Re: [users@httpd] CSP nonces in apache  

Le 11/09/2017 à 10:59, Daniel Gruno a écrit :  
> On 09/11/2017 10:48 AM, Luis Speciale wrote:  
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :  
>>  
>>>  
>>> might be that you need to uppercase it to NUMBNONCE.  
>>  
>> After a week trying I'm beginning to think that it can't be done the way  
>> I thought. Is there a way (another, of course) to achieve this?  
>  
> It SHOULD work.  
> I tested the following:  
>  
> SubstituteInheritBefore on  
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything  
> Define NUMBNONCE "1234"  
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
 
>  
> My HTML then showed "<script nonce-1234 ...>"  


Sorry for the double post, I forgot to post to the list  


Yes, I know. But I need to populate NUMBNONCE with a variable number  
which must change every hit, that's the reason why I was trying with  
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works  
only in the HTTPD config, but doesn't "exports" to the site. That's why  
I thought it can't be done the way I figured it.  
I need a variable that can go out the context of the httpd  

Thanks again, Daniel  

---------------------------------------------------------------------  
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org  
For additional commands, e-mail: users-help@httpd.apache.org  


Mime
View raw message