Add CSP Support ("application/csp-report" content type)
Opened this issue · 2 comments
I recently made some modifications so that I could use Taffy as an endpoint to receive Content Security Policy (CSP) violation reports.
in order to accept background posts containing a JSON header from browsers, I had to add the following requestObj.contentType override to core\api.cfc
in the parseRequest method.
<cfif requestObj.contentType is "application/csp-report">
<cfset requestObj.contentType = "application/json">
</cfif>
In the endpoint script, the JSON payload is retrieved using the HTTP Request content.
<cfset jsonData = toString(getHttpRequestData().content)>
<cfif not isJson(jsonData)>
<cfreturn representationOf({}).withStatus(204) />
</cfif>
This has been working successfully for me, but I wonder if I did it correctly or not. There's no other way for Taffy to know how to consume a CSP report in the header without having had to hack the core api CFC, right? Is the the best way to consume CSP reports? Thanks.
Are you referring to this?
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.
CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).
Yes, When a CSP header "report" designation is used, the browser automatically performs an HTTP post w/JSON data of the violations using "application/csp-report" as the content type. Taffy will accept posts if the core api.cfc is updated to accept & rewrite the content type to "application/json"... otherwise Taffy doesn't identify it as a valid API request.