Re: CSP nonces in apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/07/2017 07:46 PM, Luis Speciale wrote:
> Hello;
> 
> I wanted to have CSP nonces in apache. Something like this in NGINX
> https://scotthelme.co.uk/csp-nonce-support-in-nginx/
> The idea is to generate a number, put this number in the CSP nonce (the
> header) and then replicate this number in every inline script.
> 
> So in my httpd-vhosts.conf I did this
> 
> Define numbnonce %{UNIQUE_ID}e
>            
> SubstituteInheritBefore on
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
> Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"

Quick spot-check says you should probably change '.)*)' to ').*)'
Also, the env vars need to be ${}'ed.
Assuming you want to inject nonce-foo into all non-external scripts, I
would shorten it to something like:

s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|

>     
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
> 'nonce-${numbnonce}';"
> 
> The variable appears in the headers  ('nonce-WbGA@8CoABAAADceEfUAAAAP')
> but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
> can't see why because I'm not skilled enough.
> 
> Thanks for reding me and thanks in advance for any ideas or suggestions.
> 
> Luis
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux