Re: CSP nonces in apache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'll top-post.
You can't modify the headers with a filter, but you can change them
before the filtering starts...I think

The filter script starts with coroutine.yield().
before that, you can establish the nonce and set the header using either
r.headers_out or the more robust r.err_headers_out table.

so, you could ditch the Header directive in your httpd conf and change
the filter func as such:

function nonce(r)
  r.err_headers_out['Content-Security-Policy'] = "something here"
  coroutine.yield()
  while bucket do
    ...
   end
end


On 09/11/2017 05:00 PM, Luis Speciale wrote:
> Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
> 
>>
>> You could alternately use mod_lua as an output filter.
>>
>> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
>> SetOutputFilter fixupNonce # or AddOutputFilterByType
>>
>>
>> and then in nonce.lua, you'd have:
>>
>> function fixNonce(stype, str)
>>     if str:match("src=") then
>>        return ("<%s%s>"):format(stype, str)
>>     else
>>        return ("<%s nonce-%s %s>"):format(stype, nid, str)
>>     end
>> end
>>
>> function nonce(r)
>>     coroutine.yield()
>>     -- make a random nonce ID for this session
>>     nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
>>      -- for each bucket, substitute script/style if internal
>>      while bucket do
>>            bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>>            bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>>            coroutine.yield(bucket)
>>      end
>> end
> 
> 
> Well, I reinstalled apache with mod_lua and your code works. I mean it
> finds the scripts tags and adds the nonce. But I'm still unable to
> replicate the nonce in the header to make it work.
> 
> So if my header contains
> 
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-123456789'"
> 
> I named it nonce-123456789 to easily change it.
> 
> 
> I have tried with this
>     bucket = bucket:gsub("nonce-123456789%s", fixNonce)
> 
> But it doesn't works there.
> 
> After some Googling (I did researches with apache modify headers, apache
> set headers with lua), I tried this too
> 
> r.headers_out['Content-Security-Policy'] = "script-src 'self'
> 'nonce-123456789'"
> 
> Then I did this
> 
> function goNonce(stype, str)
>     if str:match("nonce-123456789") then
>         return ("%s nonce-%s %s"):format(stype, nid, str)
>     end
> end
> 
>     while bucket do
>         bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
> 
> And a dozen of similar tries, but same results, makes nothing in the
> headers. Sorry to bother you again, but I can't see the way to do it.
> 
> Thanks again
> 
> Luis
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux