You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Luis Speciale <ls...@gmail.com> on 2017/09/07 17:46:14 UTC
[users@httpd] CSP nonces in apache
Hello;
I wanted to have CSP nonces in apache. Something like this in NGINX
https://scotthelme.co.uk/csp-nonce-support-in-nginx/
The idea is to generate a number, put this number in the CSP nonce (the
header) and then replicate this number in every inline script.
So in my httpd-vhosts.conf I did this
Define numbnonce %{UNIQUE_ID}e
SubstituteInheritBefore on
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Header set Content-Security-Policy "default-src 'self'; connect-src
'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
'nonce-${numbnonce}';"
The variable appears in the headers ('nonce-WbGA@8CoABAAADceEfUAAAAP')
but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
can't see why because I'm not skilled enough.
Thanks for reding me and thanks in advance for any ideas or suggestions.
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
> On 09/11/2017 11:51 AM, Luis Speciale wrote:
>> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>>> As per the original article from Scott Helme that you intially
>>> referred to, you will need to generate a random string yourself.
>>> Something like this might help you in the right direction -
>>> https://gist.github.com/earthgecko/3089509
>>
>>
>> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
>> variables works in the httpd config but they appear litterally in the
>> content. I need an idea or a suggestion about how achieve this
>> otherwise, and that's what I can't figure how.
>>
>> Thanks for the answer.
>
> You could alternately use mod_lua as an output filter.
>
> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
> SetOutputFilter fixupNonce # or AddOutputFilterByType
>
>
> and then in nonce.lua, you'd have:
>
> function fixNonce(stype, str)
> if str:match("src=") then
> return ("<%s%s>"):format(stype, str)
> else
> return ("<%s nonce-%s %s>"):format(stype, nid, str)
> end
> end
>
> function nonce(r)
> coroutine.yield()
> -- make a random nonce ID for this session
> nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
> -- for each bucket, substitute script/style if internal
> while bucket do
> bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
> bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
> coroutine.yield(bucket)
> end
> end
>
I'm going to try this today and I will tell you what happens, thanks!!!!!
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 12/09/2017 à 14:57, Frank a écrit :
> You need to use a threaded mpm in order to support http2. Just unload
> the prefork mpm module, and load the event mpm module.
I was Googling about this to find a solution. I'm going to try what you
suggest. Thanks for your answer.
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Frank <th...@apache.org>.
On 12/09/17 05:22 AM, Luis Speciale wrote:
> Le 12/09/2017 à 09:33, Daniel Gruno a écrit :
>> On 09/12/2017 09:32 AM, Luis Speciale wrote:
>>> Oh, my. It's NOT working. I fooled myself yesterday
>>>
>>> :(
>>
>> Which part in particular isn't working?
>>
>
> Hi Daniel
> I'm going to do an exhaustive check before asking for more help, I feel
> like I'm abusing of your patience, which, by the way, I found almost
> admirable.
>
> Now I'm looking for the errors in the logs, and http2 is not working.
> I imagine that the reinstall of apache didn't went well.
>
> "The mpm module (prefork.c) is not supported by mod_http2."
>
> So, I'm going to reinstall and repeat all the process, step by step, and
> only there I'll will look for help, otherwise it is not serious ;)
>
> Thanks again !
>
>
> Luis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
You need to use a threaded mpm in order to support http2. Just unload
the prefork mpm module, and load the event mpm module.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 12/09/2017 à 09:33, Daniel Gruno a écrit :
> On 09/12/2017 09:32 AM, Luis Speciale wrote:
>> Oh, my. It's NOT working. I fooled myself yesterday
>>
>> :(
>
> Which part in particular isn't working?
>
Hi Daniel
I'm going to do an exhaustive check before asking for more help, I feel
like I'm abusing of your patience, which, by the way, I found almost
admirable.
Now I'm looking for the errors in the logs, and http2 is not working.
I imagine that the reinstall of apache didn't went well.
"The mpm module (prefork.c) is not supported by mod_http2."
So, I'm going to reinstall and repeat all the process, step by step, and
only there I'll will look for help, otherwise it is not serious ;)
Thanks again !
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/12/2017 09:32 AM, Luis Speciale wrote:
> Oh, my. It's NOT working. I fooled myself yesterday
>
> :(
Which part in particular isn't working?
>
> Luis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Oh, my. It's NOT working. I fooled myself yesterday
:(
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache (SOLVED)
Posted by Luis Speciale <ls...@gmail.com>.
Le 11/09/2017 à 17:12, Daniel Gruno a écrit :
For those who wont to accept inline scripts and styles with a nonce
according to the CSP directives.
You must reinstall your apache server with lua support.
In my Mac I had installed httpd2.4 with brew
Open
/usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb
and add
--enable-lua
In the args section and save it
args = %W[
...
--enable-lua
...
]
Then stop and reinstall apache
sudo apachectl stop
brew reinstall httpd24
Edit httpd.conf and add mod_lua
LoadModule lua_module libexec/mod_lua.so
Add this two lines in your httpd-vhosts.conf
LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce
SetOutputFilter fixupNonce
Put this text in /usr/local/var/www/nonce.lua
-- Thanks to Daniel Gruno humbedooh@apache.org who did… almost everything!
function fixNonce(stype, str)
-- If it has a source, it's not inline
if str:match("src=") then
return ("<%s%s>"):format(stype, str)
else
-- If not, we add the nonce
return ("<%s nonce-%s %s>"):format(stype, nid, str)
end
end
function nonce(r)
coroutine.yield()
-- Make a random nonce ID for this session
nid = r:sha1(math.random(1,999999999)..r.useragent_ip)
-- Set the CSP headers here instead of httpd.config and give the var
nid to nonce-
r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self';
connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src
'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self';
object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts
allow-popups allow-modals allow-orientation-lock allow-pointer-lock
allow-presentation allow-popups-to-escape-sandbox; base-uri
'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php"
-- For each bucket, substitute script/style if inline
while bucket do
bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
coroutine.yield(bucket)
end
end
And start apache.
Test it with
<!doctype html>
<html class="no-js" lang="en">
<head>
<meta charset="utf-8">
<title>::CSP::</title>
<meta name="description" content="fait des sites avec SPIP">
</head>
<body>
<h5>
Hello!
</h5>
<script>
console.log("It Works!");
</script>
<style>
h5 {color:#900;}
</style>
</body>
</html>
You should have a red h5 and a console.log that confirms It works!
Et voilà!
Thanks again Daniel!
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
I'll top-post.
You can't modify the headers with a filter, but you can change them
before the filtering starts...I think
The filter script starts with coroutine.yield().
before that, you can establish the nonce and set the header using either
r.headers_out or the more robust r.err_headers_out table.
so, you could ditch the Header directive in your httpd conf and change
the filter func as such:
function nonce(r)
r.err_headers_out['Content-Security-Policy'] = "something here"
coroutine.yield()
while bucket do
...
end
end
On 09/11/2017 05:00 PM, Luis Speciale wrote:
> Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
>
>>
>> You could alternately use mod_lua as an output filter.
>>
>> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
>> SetOutputFilter fixupNonce # or AddOutputFilterByType
>>
>>
>> and then in nonce.lua, you'd have:
>>
>> function fixNonce(stype, str)
>> if str:match("src=") then
>> return ("<%s%s>"):format(stype, str)
>> else
>> return ("<%s nonce-%s %s>"):format(stype, nid, str)
>> end
>> end
>>
>> function nonce(r)
>> coroutine.yield()
>> -- make a random nonce ID for this session
>> nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
>> -- for each bucket, substitute script/style if internal
>> while bucket do
>> bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>> bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>> coroutine.yield(bucket)
>> end
>> end
>
>
> Well, I reinstalled apache with mod_lua and your code works. I mean it
> finds the scripts tags and adds the nonce. But I'm still unable to
> replicate the nonce in the header to make it work.
>
> So if my header contains
>
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-123456789'"
>
> I named it nonce-123456789 to easily change it.
>
>
> I have tried with this
> bucket = bucket:gsub("nonce-123456789%s", fixNonce)
>
> But it doesn't works there.
>
> After some Googling (I did researches with apache modify headers, apache
> set headers with lua), I tried this too
>
> r.headers_out['Content-Security-Policy'] = "script-src 'self'
> 'nonce-123456789'"
>
> Then I did this
>
> function goNonce(stype, str)
> if str:match("nonce-123456789") then
> return ("%s nonce-%s %s"):format(stype, nid, str)
> end
> end
>
> while bucket do
> bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
>
> And a dozen of similar tries, but same results, makes nothing in the
> headers. Sorry to bother you again, but I can't see the way to do it.
>
> Thanks again
>
> Luis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
>
> You could alternately use mod_lua as an output filter.
>
> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
> SetOutputFilter fixupNonce # or AddOutputFilterByType
>
>
> and then in nonce.lua, you'd have:
>
> function fixNonce(stype, str)
> if str:match("src=") then
> return ("<%s%s>"):format(stype, str)
> else
> return ("<%s nonce-%s %s>"):format(stype, nid, str)
> end
> end
>
> function nonce(r)
> coroutine.yield()
> -- make a random nonce ID for this session
> nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
> -- for each bucket, substitute script/style if internal
> while bucket do
> bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
> bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
> coroutine.yield(bucket)
> end
> end
Well, I reinstalled apache with mod_lua and your code works. I mean it
finds the scripts tags and adds the nonce. But I'm still unable to
replicate the nonce in the header to make it work.
So if my header contains
Header set Content-Security-Policy "default-src 'self'; connect-src
'self' ; script-src 'self' 'nonce-123456789'"
I named it nonce-123456789 to easily change it.
I have tried with this
bucket = bucket:gsub("nonce-123456789%s", fixNonce)
But it doesn't works there.
After some Googling (I did researches with apache modify headers, apache
set headers with lua), I tried this too
r.headers_out['Content-Security-Policy'] = "script-src 'self'
'nonce-123456789'"
Then I did this
function goNonce(stype, str)
if str:match("nonce-123456789") then
return ("%s nonce-%s %s"):format(stype, nid, str)
end
end
while bucket do
bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
And a dozen of similar tries, but same results, makes nothing in the
headers. Sorry to bother you again, but I can't see the way to do it.
Thanks again
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/11/2017 11:51 AM, Luis Speciale wrote:
> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>> As per the original article from Scott Helme that you intially
>> referred to, you will need to generate a random string yourself.
>> Something like this might help you in the right direction -
>> https://gist.github.com/earthgecko/3089509
>
>
> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
> variables works in the httpd config but they appear litterally in the
> content. I need an idea or a suggestion about how achieve this
> otherwise, and that's what I can't figure how.
>
> Thanks for the answer.
You could alternately use mod_lua as an output filter.
LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType
and then in nonce.lua, you'd have:
function fixNonce(stype, str)
if str:match("src=") then
return ("<%s%s>"):format(stype, str)
else
return ("<%s nonce-%s %s>"):format(stype, nid, str)
end
end
function nonce(r)
coroutine.yield()
-- make a random nonce ID for this session
nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
-- for each bucket, substitute script/style if internal
while bucket do
bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
coroutine.yield(bucket)
end
end
>
> Luis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
> As per the original article from Scott Helme that you intially referred
> to, you will need to generate a random string yourself.
> Something like this might help you in the right direction -
> https://gist.github.com/earthgecko/3089509
I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
variables works in the httpd config but they appear litterally in the
content. I need an idea or a suggestion about how achieve this
otherwise, and that's what I can't figure how.
Thanks for the answer.
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Mitchell Krog Photography <mi...@gmail.com>.
As per the original article from Scott Helme that you intially referred to, you will need to generate a random string yourself.
Something like this might help you in the right direction - https://gist.github.com/earthgecko/3089509
From: Luis Speciale <ls...@gmail.com>
Reply: users@httpd.apache.org <us...@httpd.apache.org>, lspeciale@gmail.com <ls...@gmail.com>
Date: 11 September 2017 at 11:35:17 AM
To: users@httpd.apache.org <us...@httpd.apache.org>
Subject: Re: [users@httpd] CSP nonces in apache
Le 11/09/2017 à 10:59, Daniel Gruno a écrit :
> On 09/11/2017 10:48 AM, Luis Speciale wrote:
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>
>>>
>>> might be that you need to uppercase it to NUMBNONCE.
>>
>> After a week trying I'm beginning to think that it can't be done the way
>> I thought. Is there a way (another, of course) to achieve this?
>
> It SHOULD work.
> I tested the following:
>
> SubstituteInheritBefore on
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything
> Define NUMBNONCE "1234"
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
>
> My HTML then showed "<script nonce-1234 ...>"
Sorry for the double post, I forgot to post to the list
Yes, I know. But I need to populate NUMBNONCE with a variable number
which must change every hit, that's the reason why I was trying with
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works
only in the HTTPD config, but doesn't "exports" to the site. That's why
I thought it can't be done the way I figured it.
I need a variable that can go out the context of the httpd
Thanks again, Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 11/09/2017 à 10:59, Daniel Gruno a écrit :
> On 09/11/2017 10:48 AM, Luis Speciale wrote:
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>
>>>
>>> might be that you need to uppercase it to NUMBNONCE.
>>
>> After a week trying I'm beginning to think that it can't be done the way
>> I thought. Is there a way (another, of course) to achieve this?
>
> It SHOULD work.
> I tested the following:
>
> SubstituteInheritBefore on
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything
> Define NUMBNONCE "1234"
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
>
> My HTML then showed "<script nonce-1234 ...>"
Sorry for the double post, I forgot to post to the list
Yes, I know. But I need to populate NUMBNONCE with a variable number
which must change every hit, that's the reason why I was trying with
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works
only in the HTTPD config, but doesn't "exports" to the site. That's why
I thought it can't be done the way I figured it.
I need a variable that can go out the context of the httpd
Thanks again, Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/11/2017 10:48 AM, Luis Speciale wrote:
> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>
>>
>> might be that you need to uppercase it to NUMBNONCE.
>
> After a week trying I'm beginning to think that it can't be done the way
> I thought. Is there a way (another, of course) to achieve this?
It SHOULD work.
I tested the following:
SubstituteInheritBefore on
SetOutputFilter SUBSTITUTE # Forcing substitute on everything
Define NUMBNONCE "1234"
Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
My HTML then showed "<script nonce-1234 ...>"
>
> Luis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>
> might be that you need to uppercase it to NUMBNONCE.
After a week trying I'm beginning to think that it can't be done the way
I thought. Is there a way (another, of course) to achieve this?
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>> Try:
>>>
>>> Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce}
>>> $2>/i"
>>
>> Now it substitutes <script> with <script nonce-%{unique_id}e="">
>> It ignores the value of numbnonce (%{UNIQUE_ID}e) and writes it
>> litterally, even if in the headers this variable appears ok.
>> When I look the headers it has the correct value
>> 'nonce-WbGTF8CoABAAADn5XWYAAAAP'
>
> might be that you need to uppercase it to NUMBNONCE.
Same behaviour, alas! Thank you again for your answers.
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/07/2017 08:54 PM, Luis Speciale wrote:
> Le 07/09/2017 à 20:36, Daniel Gruno a écrit :
>> On 09/07/2017 08:30 PM, Luis Speciale wrote:
>>> Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
>>>
>>> Thank you for your answer.
>>>
>>>> Quick spot-check says you should probably change '.)*)' to ').*)'
>>>
>>> I tried this but it doesn't seem to work.
>>>
>>>> Also, the env vars need to be ${}'ed.
>>>
>>> Ok, I got it.
>>>
>>>> Assuming you want to inject nonce-foo into all non-external scripts, I
>>>> would shorten it to something like:
>>>>
>>>> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>>>
>>> When i do like you said, I have an error
>>> Bad Substitute flag, only s///[infq] are supported
>>> I imagine it's because the extra pipe.
>>> But even without it
>>> Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
>>> I have no substitution at all.
>>
>> Try:
>>
>> Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce}
>> $2>/i"
>
> Now it substitutes <script> with <script nonce-%{unique_id}e="">
> It ignores the value of numbnonce (%{UNIQUE_ID}e) and writes it
> litterally, even if in the headers this variable appears ok.
> When I look the headers it has the correct value
> 'nonce-WbGTF8CoABAAADn5XWYAAAAP'
might be that you need to uppercase it to NUMBNONCE.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 07/09/2017 à 20:36, Daniel Gruno a écrit :
> On 09/07/2017 08:30 PM, Luis Speciale wrote:
>> Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
>>
>> Thank you for your answer.
>>
>>> Quick spot-check says you should probably change '.)*)' to ').*)'
>>
>> I tried this but it doesn't seem to work.
>>
>>> Also, the env vars need to be ${}'ed.
>>
>> Ok, I got it.
>>
>>> Assuming you want to inject nonce-foo into all non-external scripts, I
>>> would shorten it to something like:
>>>
>>> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>>
>> When i do like you said, I have an error
>> Bad Substitute flag, only s///[infq] are supported
>> I imagine it's because the extra pipe.
>> But even without it
>> Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
>> I have no substitution at all.
>
> Try:
>
> Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce} $2>/i"
Now it substitutes <script> with <script nonce-%{unique_id}e="">
It ignores the value of numbnonce (%{UNIQUE_ID}e) and writes it
litterally, even if in the headers this variable appears ok.
When I look the headers it has the correct value
'nonce-WbGTF8CoABAAADn5XWYAAAAP'
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/07/2017 08:30 PM, Luis Speciale wrote:
> Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
>
> Thank you for your answer.
>
>> Quick spot-check says you should probably change '.)*)' to ').*)'
>
> I tried this but it doesn't seem to work.
>
>> Also, the env vars need to be ${}'ed.
>
> Ok, I got it.
>
>> Assuming you want to inject nonce-foo into all non-external scripts, I
>> would shorten it to something like:
>>
>> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>
> When i do like you said, I have an error
> Bad Substitute flag, only s///[infq] are supported
> I imagine it's because the extra pipe.
> But even without it
> Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
> I have no substitution at all.
Try:
Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce} $2>/i"
>
> Luis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Luis Speciale <ls...@gmail.com>.
Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
Thank you for your answer.
> Quick spot-check says you should probably change '.)*)' to ').*)'
I tried this but it doesn't seem to work.
> Also, the env vars need to be ${}'ed.
Ok, I got it.
> Assuming you want to inject nonce-foo into all non-external scripts, I
> would shorten it to something like:
>
> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
When i do like you said, I have an error
Bad Substitute flag, only s///[infq] are supported
I imagine it's because the extra pipe.
But even without it
Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
I have no substitution at all.
Luis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CSP nonces in apache
Posted by Daniel Gruno <hu...@apache.org>.
On 09/07/2017 07:46 PM, Luis Speciale wrote:
> Hello;
>
> I wanted to have CSP nonces in apache. Something like this in NGINX
> https://scotthelme.co.uk/csp-nonce-support-in-nginx/
> The idea is to generate a number, put this number in the CSP nonce (the
> header) and then replicate this number in every inline script.
>
> So in my httpd-vhosts.conf I did this
>
> Define numbnonce %{UNIQUE_ID}e
>
> SubstituteInheritBefore on
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
> Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Quick spot-check says you should probably change '.)*)' to ').*)'
Also, the env vars need to be ${}'ed.
Assuming you want to inject nonce-foo into all non-external scripts, I
would shorten it to something like:
s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
> 'nonce-${numbnonce}';"
>
> The variable appears in the headers ('nonce-WbGA@8CoABAAADceEfUAAAAP')
> but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
> can't see why because I'm not skilled enough.
>
> Thanks for reding me and thanks in advance for any ideas or suggestions.
>
> Luis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org