As per the original article from Scott Helme that you intially referred to, you
will need to generate a random string yourself.
Something like this might help you in the right direction -
https://gist.github.com/earthgecko/3089509
From: Luis Speciale <lspeci...@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>, lspeci...@gmail.com
<lspeci...@gmail.com>
Date: 11 September 2017 at 11:35:17 AM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject: Re: [users@httpd] CSP nonces in apache
Le 11/09/2017 à 10:59, Daniel Gruno a écrit :
> On 09/11/2017 10:48 AM, Luis Speciale wrote:
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
>>
>>>
>>> might be that you need to uppercase it to NUMBNONCE.
>>
>> After a week trying I'm beginning to think that it can't be done the way
>> I thought. Is there a way (another, of course) to achieve this?
>
> It SHOULD work.
> I tested the following:
>
> SubstituteInheritBefore on
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything
> Define NUMBNONCE "1234"
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"
>
> My HTML then showed "<script nonce-1234 ...>"
Sorry for the double post, I forgot to post to the list
Yes, I know. But I need to populate NUMBNONCE with a variable number
which must change every hit, that's the reason why I was trying with
%{UNIQUE_ID} (I tried %TIME too). It appears that this variables works
only in the HTTPD config, but doesn't "exports" to the site. That's why
I thought it can't be done the way I figured it.
I need a variable that can go out the context of the httpd
Thanks again, Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
