-
Notifications
You must be signed in to change notification settings - Fork 0
/
set_nonce_js_inject.tcl
26 lines (24 loc) · 1 KB
/
set_nonce_js_inject.tcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# IRule to get the nonce value of a CSP header and put it in the HTML script tags
# This is needed for the JavaScript that is injected by an ASM Bot Defence profile
# Make sure to put a HTML profile on the virtual server that triggers an
# event when it detects a script-tag in the HTML.
when HTTP_RESPONSE {
# Check if the response header contains a CSP
if {[HTTP::header exists "Content-Security-Policy"]} {
# Get the CSP header value
set csp [HTTP::header value "Content-Security-Policy"]
# Check if the CSP contains a nonce
if {[string first "nonce-" $csp] != -1} {
# Get the nonce value
set idx [string first "nonce-" $csp]
set nonce [string trim [string range $csp $idx end-3] "nonce-"]
}
}
}
# Event if the HTML profile rule is triggered
when HTML_TAG_MATCHED {
# Check if nonce value allready exists, if not add it
if {not [HTML::tag attribute exists "nonce"]} {
HTML::tag attribute insert "nonce" $nonce
}
}