Many agree that deploying CSP for Web apps is a hassle, one of which requires externalizing all inline JS.
I would like to discuss about the idea of making this process automated by ModSecurity Core rule set with assistant of Lua script, can anyone help me validate this idea? Here is workflow: In "learning mode", creating Lua script to: 1- Intercept and scan response data, parses HTML and identify inline JS and JS embedded in HTML events. 2- Then, creating a new .js file to include identified JS, store(e.g. FTP) it in one of web location can be accessed by public domain. 3- Remove inline JS blocks from response. 4- Replace HTML event with new JS function for event call from response. 5- Calculate CSP content based on original response as well as adding location for newly generated .js file. 6- Append generated CSP headers to response. 7- Save metadata info (i.e. new .js file name, hash of original response, request URL to local data store for caching (performance consideration) "Learning mode" is referring to Core rule set performing above actions ONLY when it sees request from trusted source such as given IP address. Automated requested can be sent by open sources web crawlers available out there, or web browsers manually. Thanks, R.S.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
