1
I’m trying to generate a nonce to the CSP, I have already enabled the mod unique_id of the Apache, and .htaccess is already generating correctly.
Header set Content-Security-Policy-Report-Only style-src 'self' 'nonce-%{UNIQUE_ID}e';
In the inspector you can see that it is working, since the report includes the nonce:
[Report Only] Refused to apply inline style because it violates the following Content Security Policy Directive: "style-src 'self' 'nonce-Xtdmkn8aaqpqhtazoz6caaaae'". Either the 'unsafe-inline' keyword, a hash ('sha256-1aqpLm6ug6vs34Tx89vHCLRgWo6n/fPxZgDY7CS2PT4=') or a nonce ('nonce-...') is required to enable inline Execution.
The problem is that when I use the variable $_SERVER ['UNIQUE_ID'] in HTML it generates another key. HTML has dynamic elements that change according to PHP variables:
$var = $var1 * $var2; // $var1 e $var2 sempre mudam
$myUniqId = $_SERVER ['UNIQUE_ID'];
<div class="star_bar" nonce="' . $myUniqId . '" style="width:' . $var . 'px;">
Looking through the source you can see that Unique id is being generated in HTML, but it is different from what is generated in htaccess (that appears in the above message report).