Skip to content

Instantly share code, notes, and snippets.

@rezan

rezan/csp_nonce.vtc

Created August 13, 2018 19:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rezan/24bd9f1943debcfc1a6ba2ffd388c006 to your computer and use it in GitHub Desktop.
Save rezan/24bd9f1943debcfc1a6ba2ffd388c006 to your computer and use it in GitHub Desktop.
Download ZIP
Generate CSP nonces for Javascript
Raw
csp_nonce.vtc
varnishtest "Generate CSP nonces for Javascript"
server s1 {
rxreq
txresp -hdr "Content-Type: text/html" -body {
<html>
<script>
var a=1;
</script>
</html>
}
expect req.url == "/1"
} -start
varnish v1 -vcl+backend {
import crypto;
import edgestash;
import xbody;
sub vcl_backend_response{
if (beresp.http.Content-Type ~ "html") {
xbody.regsub("<script>", "<script nonce={{nonce}}>");
edgestash.parse_response();
}
}
sub vcl_deliver {
if (edgestash.is_edgestash()) {
set req.http.X-nonce = crypto.hex_encode(crypto.urandom(16));
set resp.http.Content-Security-Policy = "script-src 'nonce-" +
req.http.X-nonce + "'";
edgestash.add_json({"
{
"nonce":""} + req.http.X-nonce + {""
}
"});
edgestash.execute();
}
}
} -start
client c1 {
txreq -url /1
rxresp
expect resp.status == 200
expect resp.body ~ "<script nonce=\\S+>"
expect resp.http.Content-Security-Policy ~ "nonce-\\S+"
} -run
@vlad-rusu
Copy link

Thanks a lot! This is great, but I can't get vmod xbody in Varnish Plus 4.1.10r4 (latest) ..
Docs do mention Varnish 6.. Yet I don't see a Varnish Plus 6 release

@vlad-rusu
Copy link

Works great, many many thanks!

@yzoug
Copy link

yzoug commented Jan 4, 2023

In case someone stumbles upon this as I just did: this implementation is vulnerable, do not do it this way. If someone includes a script tag in your website, if Varnish is configured this way he will happily put the nonce where needed, hence the XSS is possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment