I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but I'm having trouble accepting reports with a Java/Jetty server.
The request I'm trying to process looks like this (in Chrome dev tools): *Request Headers:* :authority: myServer :method: POST :path: /somePath :scheme: https accept: */* accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,es;q=0.8 cache-control: no-cache content-length: 685 content-type: application/csp-report cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689; Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781 origin: https://myServer pragma: no-cache referer: https://myServer/anotherPath sec-fetch-dest: report sec-fetch-mode: no-cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 *Request Payload:* {"csp-report":{"document-uri":"https://myServer/anotherPath","referrer":"; https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src 'self';script-src 'self' stackpath.bootstrapcdn.com code.jquery.com cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval' 'unsafe-inline';report-uri CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":" https://myServer/anotherPath","status-code":0,"script-sample":""}} *Question:* What's this "Payload" thing and how am I supposed access it in Java? If I call `request.getParts()` on the HttpServletRequest, I get: javax.servlet.ServletException: Unsupported Content-Type [application/csp-report], expected [multipart/form-data] at org.eclipse.jetty.server.Request.getParts(Request.java:2309) I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and I guess I'm just wondering if that's the best/only way to do it. I'm used to doing whatever I need in the `HttpServletRequest`, not `org.eclipse.jetty.server.Request`. Thanks for all your help in the past. Notes: [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Enabling_reporting [2] https://owasp.org/www-community/attacks/Content_Security_Policy -- Glen K. Peterson (828) 393-0081
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
