Re: CSP nonces in apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
On 09/11/2017 11:51 AM, Luis Speciale wrote:
Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
As per the original article from Scott Helme that you intially
referred to, you will need to generate a random string yourself.
Something like this might help you in the right direction -
https://gist.github.com/earthgecko/3089509


I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
variables works in the httpd config but they appear litterally in the
content. I need an idea or a suggestion about how achieve this
otherwise, and that's what I can't figure how.

Thanks for the answer.

You could alternately use mod_lua as an output filter.

LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType


and then in nonce.lua, you'd have:

function fixNonce(stype, str)
    if str:match("src=") then
       return ("<%s%s>"):format(stype, str)
    else
       return ("<%s nonce-%s %s>"):format(stype, nid, str)
    end
end

function nonce(r)
    coroutine.yield()
    -- make a random nonce ID for this session
    nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
     -- for each bucket, substitute script/style if internal
     while bucket do
           bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
           bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
           coroutine.yield(bucket)
     end
end


I'm going to try this today and I will tell you what happens, thanks!!!!!

Luis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux