Question: Modifying OutCustomHeaders in GetViewInfo ?

itSDS · 2025-03-20 19:26:16

Hi Arnaud, i like to add a different nonce for CSP to every call of GetViewInfo
Acually I put my CSP to OutCustomHeaders in HttpServer Request.

is it Possible to Access / Modify the Ctxt.OutCustomHeaders from MVCApplication ?

Thank you

ab · 2025-03-20 20:36:46

You can set a callback e.g. to TRestServer.OnAfterUri to change the output.

ttomas · 2025-03-20 22:05:51

For MVC app you can add parameter CustomOutHttpHeader to your public methods. @ab add this future when I need response header for htmx application.

procedure TMyMVCApplication.Test(... , out CustomOutHttpHeader: RawUtf8); 
begin
  ...
  CustomOutHttpHeader := 'HX-Retarget: #dialog';
end;

itSDS · 2025-03-21 07:13:34

ty i'll try

itSDS · 2025-03-21 09:22:53

I think both Variants are to complicated. I genereate ContentSecurityPolicy in GetViewInfo which generates 2 Nonce Values for script and style
This both values i give to mustache {{main.cspnonce}}

if i use callback it is called after mvc, how could i add my nonces to main.xy ?
if i use ttomas version i have to add my code to every function, i have a lot

To make it easy, i made a little patch to TRestUriParams and added a new value: ContentSecurityPolicy

   LowLevelUserAgent: RawUtf8;
    /// itSDS: für ContentSecurityPolicy !
    ContentSecurityPolicy: RawUtf8; // itSDS
    /// initialize the non RawUtf8 values
    procedure Init; overload;

Then i added a little bit of code to mormot.rest.http.server.pas

  call.LowLevelUserAgent := Ctxt.UserAgent;
  call.ContentSecurityPolicy := ''; // itSDS
  if fHosts.Count > 0 then

  Ctxt.OutCustomHeaders := call.OutHead;

  if call.ContentSecurityPolicy <> '' then // itSDS
    Ctxt.AddOutHeader(['Content-Security-Policy: ', call.ContentSecurityPolicy]);

  if call.OutInternalState <> 0 then

what do you think ?

Last edited by itSDS (2025-03-21 10:10:28)

ab · 2025-03-21 16:01:15

The TRestUriParams structure should be kept small and with minimal fields.
This ContentSecurityPolicy field is too dedicated to my understanding.

I don't understand how and where you set your ContentSecurityPolicy.ContentSecurityPolicy field.
Why not just use:

AppendLine(call.OutHead, ['Content-Security-Policy: ', MyContentSecurityPolicy]);

mORMot Open Source

#1 2025-03-20 19:26:16

Question: Modifying OutCustomHeaders in GetViewInfo ?

#2 2025-03-20 20:36:46

Re: Question: Modifying OutCustomHeaders in GetViewInfo ?

#3 2025-03-20 22:05:51

Re: Question: Modifying OutCustomHeaders in GetViewInfo ?

#4 2025-03-21 07:13:34

Re: Question: Modifying OutCustomHeaders in GetViewInfo ?

#5 2025-03-21 09:22:53

Re: Question: Modifying OutCustomHeaders in GetViewInfo ?

#6 2025-03-21 16:01:15

Re: Question: Modifying OutCustomHeaders in GetViewInfo ?

Board footer