security::csp::nonce (public)
security::csp::nonce [ -tokenname tokenname ]
Defined in packages/acs-tcl/tcl/security-procs.tcl
Generate a nonce token and return it. The nonce token can be used in content security policies (CSP2) for "script" and "style" elements. Desired Properties: generate a single unique value per request which is hard for a hacker to predict, it should only contain base64 characters (so hex is fine). For details, see https://www.w3.org/TR/CSP/
- Switches:
- -tokenname
(defaults to"__csp_nonce"
) (optional)- Returns:
- nonce token
- Author:
- Gustaf Neumann
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
Source code: # # Compute the nonce value only once per requests. If it was # already computed, pick it up and return the precomputed # value. Otherwise, compute the value new. # set globalTokenName ::$tokenname if {[info exists $globalTokenName]} { set token [set $globalTokenName] } else { if {![ns_conn isconnected]} { # # Must be a background job, take the address # set session_id [ns_info address] } else { # # Anonymous request, use a peer address as session_id # set session_id [ad_conn peeraddr] } set secret [ns_config "ns/server/[ns_info server]/acs" parameterSecret ""] if {[namespace which ::crypto::hmac] ne ""} { set token [::crypto::hmac string $secret $session_id-[clock clicks -microseconds]] } else { set token [ns_sha1 "$secret-$session_id-[clock clicks -microseconds]"] } set $globalTokenName $token } return $tokenGeneric XQL file: packages/acs-tcl/tcl/security-procs.xql
PostgreSQL XQL file: packages/acs-tcl/tcl/security-procs-postgresql.xql
Oracle XQL file: packages/acs-tcl/tcl/security-procs-oracle.xql