[Rt-commit] rt branch, 4.6/add-nonce-source-support, created. rt-4.4.2-96-g862c1603c

Jim Brandt jbrandt at bestpractical.com
Wed May 30 17:28:44 EDT 2018


The branch, 4.6/add-nonce-source-support has been created
        at  862c1603cc53274ee8b70518c87c43b5b4cca739 (commit)

- Log -----------------------------------------------------------------
commit 862c1603cc53274ee8b70518c87c43b5b4cca739
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Wed May 30 17:28:17 2018 -0400

    Add a nonce for CSP headers

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 6ef0c6c68..556e6e433 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -291,6 +291,8 @@ sub HandleRequest {
     InitializeMenu();
     MaybeShowInstallModePage();
 
+    SetSecurityHeaders() if RT->Config->Get('SetCSPHeaders');
+
     MaybeRebuildCustomRolesCache();
 
     $HTML::Mason::Commands::m->comp( '/Elements/SetupSessionCookie', %$ARGS );
@@ -385,6 +387,13 @@ sub HandleRequest {
     $HTML::Mason::Commands::m->comp( '/Elements/Footer', %$ARGS );
 }
 
+sub SetSecurityHeaders {
+    my $nonce = Digest::MD5::md5_hex( rand(1024) );
+    $HTML::Mason::Commands::m->notes->{'csp-nonce'} = $nonce;
+    $HTML::Mason::Commands::r->headers_out->{'content-security-policy'} =
+        RT->Config->Get('SetCSPHeaders') . "; script-src 'nonce-$nonce';";
+}
+
 sub _ForceLogout {
 
     delete $HTML::Mason::Commands::session{'CurrentUser'};

-----------------------------------------------------------------------


More information about the rt-commit mailing list