On 09/07/2017 07:46 PM, Luis Speciale wrote:
> Hello;
>
> I wanted to have CSP nonces in apache. Something like this in NGINX
> https://scotthelme.co.uk/csp-nonce-support-in-nginx/
> The idea is to generate a number, put this number in the CSP nonce (the
> header) and then replicate this number in every inline script.
>
> So in my httpd-vhosts.conf I did this
>
> Define numbnonce %{UNIQUE_ID}e
>
> SubstituteInheritBefore on
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
> Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Quick spot-check says you should probably change '.)*)' to ').*)'
Also, the env vars need to be ${}'ed.
Assuming you want to inject nonce-foo into all non-external scripts, I
would shorten it to something like:
s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
> 'nonce-${numbnonce}';"
>
> The variable appears in the headers ('nonce-WbGA@8CoABAAADceEfUAAAAP')
> but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
> can't see why because I'm not skilled enough.
>
> Thanks for reding me and thanks in advance for any ideas or suggestions.
>
> Luis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|