Re: CSP nonces in apache (SOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 11/09/2017 à 17:12, Daniel Gruno a écrit :
For those who wont to accept inline scripts and styles with a nonce according to the CSP directives. 

You must reinstall your apache server with lua support.
In my Mac I had installed httpd2.4 with brew

Open
	/usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb
and add
	--enable-lua

In the args section and save it

args = %W[
...
      --enable-lua
...
    ]
Then stop and reinstall apache

	sudo apachectl stop
	brew reinstall httpd24

Edit httpd.conf and add mod_lua

	LoadModule lua_module libexec/mod_lua.so


Add this two lines in your httpd-vhosts.conf
	LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce
	SetOutputFilter fixupNonce
	

Put this text in /usr/local/var/www/nonce.lua

-- Thanks to Daniel Gruno humbedooh@xxxxxxxxxx who did… almost everything!
function fixNonce(stype, str)
	-- If it has a source, it's not inline
	if str:match("src=") then
		return ("<%s%s>"):format(stype, str)
	else
	-- If not, we add the nonce
		return ("<%s nonce-%s %s>"):format(stype, nid, str)
	end
end
function nonce(r)
	coroutine.yield()
	-- Make a random nonce ID for this session
	nid = r:sha1(math.random(1,999999999)..r.useragent_ip)
-- Set the CSP headers here instead of httpd.config and give the var nid to nonce- r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-popups-to-escape-sandbox; base-uri 'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php"; 
	-- For each bucket, substitute script/style if inline
	while bucket do	
		bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
		bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
		coroutine.yield(bucket)
	end
end


And start apache.

Test it with

<!doctype html>
<html class="no-js" lang="en">
<head>
	<meta charset="utf-8">
	<title>::CSP::</title>
	<meta name="description" content="fait des sites avec SPIP">
</head>
<body>
<h5>
	Hello!
</h5>
<script>
	console.log("It Works!");
</script>
<style>	
	h5 {color:#900;}
</style>
</body>
</html>

You should have a red h5 and a console.log that confirms It works!

Et voilà!


Thanks again Daniel!

Luis



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux