Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Content Security Policy (CSP) upload of type application/csp-report

I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but I'm having trouble accepting reports with a Java/Jetty server.

The request I'm trying to process looks like this (in Chrome dev tools):

Request Headers:
:authority: myServer
:method: POST
:path: /somePath
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es;q=0.8
cache-control: no-cache
content-length: 685
content-type: application/csp-report
cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689; Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781
origin: https://myServer
pragma: no-cache
referer: https://myServer/anotherPath
sec-fetch-dest: report
sec-fetch-mode: no-cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Request Payload:
{"csp-report":{"document-uri":"https://myServer/anotherPath","referrer":"https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src 'self';script-src 'self' stackpath.bootstrapcdn.com code.jquery.com cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval' 'unsafe-inline';report-uri CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":"https://myServer/anotherPath","status-code":0,"script-sample":""}}

Question:
What's this "Payload" thing and how am I supposed access it in Java?  If I call `request.getParts()` on the HttpServletRequest, I get:

javax.servlet.ServletException: Unsupported Content-Type [application/csp-report], expected [multipart/form-data]
at org.eclipse.jetty.server.Request.getParts(Request.java:2309)

I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and I guess I'm just wondering if that's the best/only way to do it.  I'm used to doing whatever I need in the `HttpServletRequest`, not `org.eclipse.jetty.server.Request`.

Thanks for all your help in the past.

Notes:

--
Glen K. Peterson
(828) 393-0081

Back to the top