Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0B21C200D04 for ; Mon, 11 Sep 2017 20:40:52 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 099BB1609B7; Mon, 11 Sep 2017 18:40:52 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2DBBF1609C4 for ; Mon, 11 Sep 2017 20:40:51 +0200 (CEST) Received: (qmail 64083 invoked by uid 500); 11 Sep 2017 18:40:48 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 64073 invoked by uid 99); 11 Sep 2017 18:40:48 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Sep 2017 18:40:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B7AFF18B4A5 for ; Mon, 11 Sep 2017 18:40:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ARCtJarQIs4w for ; Mon, 11 Sep 2017 18:40:46 +0000 (UTC) Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 607D660EF5 for ; Mon, 11 Sep 2017 18:40:46 +0000 (UTC) Received: by mail-wm0-f43.google.com with SMTP id f199so46562314wme.0 for ; Mon, 11 Sep 2017 11:40:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=9JhgrVoxmwnZARM8veGc16eklEP/io2foniL/j5S5zg=; b=u71pdwlpCdX1zUJzkqUpI2VmsZfD78cxa2uSALLiIwV9cCTUZaDKffdSfXiD56j6P4 ZA8lX1AhzdVMT6PaqO01TKByFsVGV6HAIHUMVNK2Fv3dS2MiQ+fILN8ItL+eCUJlu8YC BM6L67n0HhJTlS7Du+P8DIlhQo8NrDtOnFGbT5Qu0U9E79Xtnus4TSXwXgdMj3qQKpOC UyVH/YTTbtDaa3NiP74rh2eW4xuoW0/pRiLS0RXyTjPydD3bjOA4BiNs2K3qYaqY2C4s L/FOBS62M9uy7YQLFHkEnSbGL4XsSGVGP4SAZUaIkvhyotUhfDh04Z/RPO8QuOOh1AjZ uraQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9JhgrVoxmwnZARM8veGc16eklEP/io2foniL/j5S5zg=; b=FAV60BNzjY+O4GXQu7vXrvk3GWFgUfv8enpDOlzyXKayo0utWs+vI9PqyLaX8Y/S4X X7S2B2jQaxnM4Mcw5P0iFiTH37acgd0q0ykZHW0M2kTRPL43dXxsDSPSEyWqUwAPjLYU FqoXnvH40dFENDvtnd+3CsqnWbRyxEcljrdCZO0Y4VeDnglRG25eUJHcN1q8SHz+np1s QGmSYFbF6zcI8wixIfttlXPm2IWOSX6ngwjpKA0ShAaQ/a13By7lkhIqPCCVlJEvCsAD tRxL4YpZ004/ZhER2ehdSK1n9GaTDSjOE1YxOsU8rTVKZuIcplP2LyJwgQUKFzeSbEQ2 fi7Q== X-Gm-Message-State: AHPjjUh+THCMwj0ptYX4SOCTKUwuIdTQYDuC//mHBRi+uB79LsnTKRU4 07tAC9ViBBkwRrfN X-Google-Smtp-Source: ADKCNb4A0+iE1g+V2S+dMJYG9klg3MOtqtzHwXYrlAtSrnWZULe5vOuWF4N87x+BjR6l3kPIKujeog== X-Received: by 10.80.182.195 with SMTP id f3mr10054965ede.127.1505155245806; Mon, 11 Sep 2017 11:40:45 -0700 (PDT) Received: from speciale.local ([2a01:e35:8bdd:8580:58f7:33a:a39b:d308]) by smtp.googlemail.com with ESMTPSA id n2sm5391909edd.8.2017.09.11.11.40.44 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Sep 2017 11:40:45 -0700 (PDT) Reply-To: lspeciale@gmail.com To: users@httpd.apache.org References: <4a513065-4a8c-99c3-754c-f2c8e7a28339@gmail.com> <3fe3858d-7070-c49b-259d-d9eed52c5ef6@apache.org> <3f9021f2-0908-db16-ae88-ffcca271f9f4@gmail.com> <3144da0d-40ed-6197-b020-a7c791e1e04a@apache.org> <03d1f078-da10-07c5-df30-79d3f8ac49e8@gmail.com> <874d2842-296e-fb7c-c24a-fc5c482ad093@gmail.com> <4e479d55-194b-fbc8-1c65-09bfeac2214b@gmail.com> <79178259-8453-5502-5ea4-811047122e09@gmail.com> From: Luis Speciale Message-ID: Date: Mon, 11 Sep 2017 20:40:44 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit Subject: Re: [users@httpd] CSP nonces in apache (SOLVED) archived-at: Mon, 11 Sep 2017 18:40:52 -0000 Le 11/09/2017 à 17:12, Daniel Gruno a écrit : For those who wont to accept inline scripts and styles with a nonce according to the CSP directives. You must reinstall your apache server with lua support. In my Mac I had installed httpd2.4 with brew Open /usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb and add --enable-lua In the args section and save it args = %W[ ... --enable-lua ... ] Then stop and reinstall apache sudo apachectl stop brew reinstall httpd24 Edit httpd.conf and add mod_lua LoadModule lua_module libexec/mod_lua.so Add this two lines in your httpd-vhosts.conf LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce SetOutputFilter fixupNonce Put this text in /usr/local/var/www/nonce.lua -- Thanks to Daniel Gruno humbedooh@apache.org who did… almost everything! function fixNonce(stype, str) -- If it has a source, it's not inline if str:match("src=") then return ("<%s%s>"):format(stype, str) else -- If not, we add the nonce return ("<%s nonce-%s %s>"):format(stype, nid, str) end end function nonce(r) coroutine.yield() -- Make a random nonce ID for this session nid = r:sha1(math.random(1,999999999)..r.useragent_ip) -- Set the CSP headers here instead of httpd.config and give the var nid to nonce- r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox; base-uri 'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php" -- For each bucket, substitute script/style if inline while bucket do bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce) bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce) coroutine.yield(bucket) end end And start apache. Test it with ::CSP::
Hello!
You should have a red h5 and a console.log that confirms It works! Et voilà! Thanks again Daniel! Luis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org