security::csp::nonce (public)

 security::csp::nonce [ -tokenname tokenname ]

Defined in packages/acs-tcl/tcl/security-procs.tcl

Generate a nonce token and return it. The nonce token can be used in content security policies (CSP2) for "script" and "style" elements. Desired Properties: generate a single unique value per request which is hard for a hacker to predict, it should only contain base64 characters (so hex is fine). For details, see https://www.w3.org/TR/CSP/

Switches:
-tokenname
(defaults to "__csp_nonce") (optional)
Returns:
nonce token
Author:
Gustaf Neumann

Partial Call Graph (max 5 caller/called nodes):
%3 Class ::xo::MessageRelay Class ::xo::MessageRelay (public) security::csp::nonce security::csp::nonce Class ::xo::MessageRelay->security::csp::nonce Class ::xowiki::BootstrapNavbarDropzone Class ::xowiki::BootstrapNavbarDropzone (public) Class ::xowiki::BootstrapNavbarDropzone->security::csp::nonce Class ::xowiki::includelet::book Class ::xowiki::includelet::book (public) Class ::xowiki::includelet::book->security::csp::nonce Class ::xowiki::includelet::flowplayer Class ::xowiki::includelet::flowplayer (public) Class ::xowiki::includelet::flowplayer->security::csp::nonce Class ::xowiki::includelet::timeline Class ::xowiki::includelet::timeline (public) Class ::xowiki::includelet::timeline->security::csp::nonce ad_conn ad_conn (public) security::csp::nonce->ad_conn

Testcases:
No testcase defined.
Source code:
        #
        # Compute the nonce value only once per requests. If it was
        # already computed, pick it up and return the precomputed
        # value. Otherwise, compute the value new.
        #
        set globalTokenName ::$tokenname
        if {[info exists $globalTokenName]} {
            set token [set $globalTokenName]
        } else {
            if {![ns_conn isconnected]} {
                #
                # Must be a background job, take the address
                #
                set session_id [ns_info address]
            } else {
                #
                # Anonymous request, use a peer address as session_id
                #
                set session_id [ad_conn peeraddr]
            }
            set secret [ns_config "ns/server/[ns_info server]/acs" parametersecret ""]

            if {[namespace which ::crypto::hmac] ne ""} {
                set token  [::crypto::hmac string $secret $session_id-[clock clicks -microseconds]]
            } else {
                set token  [ns_sha1 "$secret-$session_id-[clock clicks -microseconds]"]
            }
            set $globalTokenName $token
        }
        return $token
Generic XQL file:
packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:
packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:
packages/acs-tcl/tcl/security-procs-oracle.xql

[ hide source ] | [ make this the default ]
Show another procedure: