Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
You could alternately use mod_lua as an output filter.
LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType
and then in nonce.lua, you'd have:
function fixNonce(stype, str)
if str:match("src=") then
return ("<%s%s>"):format(stype, str)
else
return ("<%s nonce-%s %s>"):format(stype, nid, str)
end
end
function nonce(r)
coroutine.yield()
-- make a random nonce ID for this session
nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
-- for each bucket, substitute script/style if internal
while bucket do
bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
coroutine.yield(bucket)
end
end
Well, I reinstalled apache with mod_lua and your code works. I mean it finds the scripts tags and adds the nonce. But I'm still unable to replicate the nonce in the header to make it work.
So if my header containsHeader set Content-Security-Policy "default-src 'self'; connect-src 'self' ; script-src 'self' 'nonce-123456789'"
I named it nonce-123456789 to easily change it.
I have tried with this
bucket = bucket:gsub("nonce-123456789%s", fixNonce)
But it doesn't works there.
After some Googling (I did researches with apache modify headers, apache
set headers with lua), I tried this too
r.headers_out['Content-Security-Policy'] = "script-src 'self' 'nonce-123456789'"
Then I did this
function goNonce(stype, str)
if str:match("nonce-123456789") then
return ("%s nonce-%s %s"):format(stype, nid, str)
end
end
while bucket do
bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
And a dozen of similar tries, but same results, makes nothing in the
headers. Sorry to bother you again, but I can't see the way to do it.
Thanks again Luis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|