CODEWITHSUNDEEP
phpapachecontent-security-policy
Coder
Coder

Reputation: 107

Allow inline scripts CSP with Apache

I have to enable CSP and allow running inline scripts. I have been trying various things but I am still getting CSP warning in developer console.

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

I have been trying to implement CSP with nonce, and have below in my apache settings.

LoadModule unique_id_module modules/mod_unique_id.so //generates unique nonce for each http request

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-%{UNIQUE_ID}e' 'unsafe-eval';"

The above apache settings generates a unique id which I am then passing to my inline JS <script nonce="<?= $_SERVER['UNIQUE_ID'] ?>">

But am still getting errors in console.

Content Security Policy: Couldn’t parse invalid host 'nonce-X@KFhfNmoeAb3yfsstqrgQAAAMc'
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

Please note that I don't intend to use unsafe-inline as that would not solve the purpose of CSP.

From Granty's answer I have now tried using the csp_nonce module. And have below in my apache config

LoadModule headers_module modules/mod_headers.so
LoadModule cspnonce_module modules/mod_cspnonce.so
Header set Content-Security-Policy "script-src 'self' 'nonce-%{CSP_NONCE}e' 'unsafe-eval';"

The inline script tags now contains the CSP_NONCE variable.

However I am still getting some errors in the console.

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Any help appreciated, TIA

Upvotes: 2

Views: 2716

Answers (1)

granty
granty

Reputation: 8496

mod_unique_id is not suitable to generate 'nonce' because of @ character in the generated ID.

Your 'nonce-X@KFhfNmoeAb3yfsstqrgQAAAMc' token has non allowed character @. You can use mod_cspnonce instead of. It generates valid nonce values via crypto algo according to CSP spec.

PS: as I see Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”) - be careful when use default-src as fallback for script-src. Firefox has a bug: 'nonce-value' does not override 'unsafe-inline' in default-src directive.

Upvotes: 2

Related Questions