httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mitchell Krog Photography <>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 09:38:20 GMT
As per the original article from Scott Helme that you intially referred to, you will need to
generate a random string yourself.
Something like this might help you in the right direction -

From: Luis Speciale <>
Reply: <>, <>
Date: 11 September 2017 at 11:35:17 AM
To: <>
Subject:  Re: [users@httpd] CSP nonces in apache  

Le 11/09/2017 à 10:59, Daniel Gruno a écrit :  
> On 09/11/2017 10:48 AM, Luis Speciale wrote:  
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :  
>>> might be that you need to uppercase it to NUMBNONCE.  
>> After a week trying I'm beginning to think that it can't be done the way  
>> I thought. Is there a way (another, of course) to achieve this?  
> It SHOULD work.  
> I tested the following:  
> SubstituteInheritBefore on  
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything  
> Define NUMBNONCE "1234"  
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
> My HTML then showed "<script nonce-1234 ...>"  

Sorry for the double post, I forgot to post to the list  

Yes, I know. But I need to populate NUMBNONCE with a variable number  
which must change every hit, that's the reason why I was trying with  
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works  
only in the HTTPD config, but doesn't "exports" to the site. That's why  
I thought it can't be done the way I figured it.  
I need a variable that can go out the context of the httpd  

Thanks again, Daniel  

To unsubscribe, e-mail:  
For additional commands, e-mail:  

View raw message