Re: [users@httpd] CSP nonces in apache (SOLVED)

Mon, 11 Sep 2017 11:41:06 -0700 

Le 11/09/2017 à 17:12, Daniel Gruno a écrit :
For those who wont to accept inline scripts and styles with a nonce according to the CSP directives. 

You must reinstall your apache server with lua support.
In my Mac I had installed httpd2.4 with brew

Open
        /usr/local/Homebrew/Library/Taps/homebrew/homebrew-apache/httpd24.rb
and add
        --enable-lua

In the args section and save it

args = %W[
...
      --enable-lua
...
    ]
Then stop and reinstall apache

        sudo apachectl stop
        brew reinstall httpd24

Edit httpd.conf and add mod_lua

        LoadModule lua_module libexec/mod_lua.so


Add this two lines in your httpd-vhosts.conf
        LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce
        SetOutputFilter fixupNonce
        

Put this text in /usr/local/var/www/nonce.lua

-- Thanks to Daniel Gruno humbed...@apache.org who did… almost everything!
function fixNonce(stype, str)
        -- If it has a source, it's not inline
        if str:match("src=") then
                return ("<%s%s>"):format(stype, str)
        else
        -- If not, we add the nonce
                return ("<%s nonce-%s %s>"):format(stype, nid, str)
        end
end
function nonce(r)
        coroutine.yield()
        -- Make a random nonce ID for this session
        nid = r:sha1(math.random(1,999999999)..r.useragent_ip)

	-- Set the CSP headers here instead of httpd.config and give the var 
nid to nonce-
	r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; 
connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 
'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; 
object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts 
allow-popups allow-modals allow-orientation-lock allow-pointer-lock 
allow-presentation allow-popups-to-escape-sandbox; base-uri 
'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php";		

        -- For each bucket, substitute script/style if inline
        while bucket do 
                bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
                bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
                coroutine.yield(bucket)
        end
end


And start apache.

Test it with

<!doctype html>
<html class="no-js" lang="en">
<head>
        <meta charset="utf-8">
        <title>::CSP::</title>
        <meta name="description" content="fait des sites avec SPIP">
</head>
<body>
<h5>
        Hello!
</h5>
<script>
        console.log("It Works!");
</script>
<style>   
        h5 {color:#900;}
</style>
</body>
</html>

You should have a red h5 and a console.log that confirms It works!

Et voilà!


Thanks again Daniel!

Luis



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





























					Reply via email to