Le 11/09/2017 à 17:12, Daniel Gruno a écrit :For those who wont to accept inline scripts and styles with a nonce according to the CSP directives.
You must reinstall your apache server with lua support. In my Mac I had installed httpd2.4 with brew Open /usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb and add --enable-lua In the args section and save it args = %W[ ... --enable-lua ... ] Then stop and reinstall apache sudo apachectl stop brew reinstall httpd24 Edit httpd.conf and add mod_lua LoadModule lua_module libexec/mod_lua.so Add this two lines in your httpd-vhosts.conf LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce SetOutputFilter fixupNonce Put this text in /usr/local/var/www/nonce.lua -- Thanks to Daniel Gruno humbedooh@xxxxxxxxxx who did… almost everything! function fixNonce(stype, str) -- If it has a source, it's not inline if str:match("src=") then return ("<%s%s>"):format(stype, str) else -- If not, we add the nonce return ("<%s nonce-%s %s>"):format(stype, nid, str) end end function nonce(r) coroutine.yield() -- Make a random nonce ID for this session nid = r:sha1(math.random(1,999999999)..r.useragent_ip)-- Set the CSP headers here instead of httpd.config and give the var nid to nonce- r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox; base-uri 'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php"
-- For each bucket, substitute script/style if inline while bucket do bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce) bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce) coroutine.yield(bucket) end end And start apache. Test it with <!doctype html> <html class="no-js" lang="en"> <head> <meta charset="utf-8"> <title>::CSP::</title> <meta name="description" content="fait des sites avec SPIP"> </head> <body> <h5> Hello! </h5> <script> console.log("It Works!"); </script> <style> h5 {color:#900;} </style> </body> </html> You should have a red h5 and a console.log that confirms It works! Et voilà! Thanks again Daniel! Luis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx