As per the original article from Scott Helme that you intially referred to, you will need to generate a random string yourself.
Something like this might help you in the right direction - https://gist.github.com/earthgecko/3089509
From: Luis Speciale <lspeciale@xxxxxxxxx>
Reply: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>, lspeciale@xxxxxxxxx <lspeciale@xxxxxxxxx>
Date: 11 September 2017 at 11:35:17 AM
To: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>
Subject: Re: [users@httpd] CSP nonces in apache
Le 11/09/2017 à 10:59, Daniel Gruno a écrit :
> On 09/11/2017 10:48 AM, Luis Speciale wrote:
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>
>>>
>>> might be that you need to uppercase it to NUMBNONCE.
>>
>> After a week trying I'm beginning to think that it can't be done the way
>> I thought. Is there a way (another, of course) to achieve this?
>
> It SHOULD work.
> I tested the following:
>
> SubstituteInheritBefore on
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything
> Define NUMBNONCE "1234"
> Substitute "s/<(script|style)((?!\s*src="" nonce-${NUMBNONCE}$2>/i"
>
> My HTML then showed "<script nonce-1234 ...>"
Sorry for the double post, I forgot to post to the list
Yes, I know. But I need to populate NUMBNONCE with a variable number
which must change every hit, that's the reason why I was trying with
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works
only in the HTTPD config, but doesn't "exports" to the site. That's why
I thought it can't be done the way I figured it.
I need a variable that can go out the context of the httpd
Thanks again, Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
