I'll top-post.
You can't modify the headers with a filter, but you can change them
before the filtering starts...I think
The filter script starts with coroutine.yield().
before that, you can establish the nonce and set the header using either
r.headers_out or the more robust r.err_headers_out table.
so, you could ditch the Header directive in your httpd conf and change
the filter func as such:
function nonce(r)
r.err_headers_out['Content-Security-Policy'] = "something here"
coroutine.yield()
while bucket do
...
end
end
On 09/11/2017 05:00 PM, Luis Speciale wrote:
> Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
>
>>
>> You could alternately use mod_lua as an output filter.
>>
>> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
>> SetOutputFilter fixupNonce # or AddOutputFilterByType
>>
>>
>> and then in nonce.lua, you'd have:
>>
>> function fixNonce(stype, str)
>> if str:match("src=") then
>> return ("<%s%s>"):format(stype, str)
>> else
>> return ("<%s nonce-%s %s>"):format(stype, nid, str)
>> end
>> end
>>
>> function nonce(r)
>> coroutine.yield()
>> -- make a random nonce ID for this session
>> nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
>> -- for each bucket, substitute script/style if internal
>> while bucket do
>> bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>> bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>> coroutine.yield(bucket)
>> end
>> end
>
>
> Well, I reinstalled apache with mod_lua and your code works. I mean it
> finds the scripts tags and adds the nonce. But I'm still unable to
> replicate the nonce in the header to make it work.
>
> So if my header contains
>
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-123456789'"
>
> I named it nonce-123456789 to easily change it.
>
>
> I have tried with this
> bucket = bucket:gsub("nonce-123456789%s", fixNonce)
>
> But it doesn't works there.
>
> After some Googling (I did researches with apache modify headers, apache
> set headers with lua), I tried this too
>
> r.headers_out['Content-Security-Policy'] = "script-src 'self'
> 'nonce-123456789'"
>
> Then I did this
>
> function goNonce(stype, str)
> if str:match("nonce-123456789") then
> return ("%s nonce-%s %s"):format(stype, nid, str)
> end
> end
>
> while bucket do
> bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
>
> And a dozen of similar tries, but same results, makes nothing in the
> headers. Sorry to bother you again, but I can't see the way to do it.
>
> Thanks again
>
> Luis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|