Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Content Security Policy (CSP) upload of type application/csp-report
What's this "Payload" thing and how am I supposed access it in Java?  If I call `request.getParts()` on the HttpServletRequest, I get:
javax.servlet.ServletException: Unsupported Content-Type [application/csp-report], expected [multipart/form-data]  
at org.eclipse.jetty.server.Request.getParts(Request.java:2309)
 

The Servlet spec has the following behavior:
  • .getParts() - requires:
    1. The content be sent as `Content-Type: multipart/form-data`
    2. The request body content be encoded as multipart/form-data
    3. Supports any HTTP Method (GET/POST/PUT/etc)
    4. Destination Servlet must have declared MultipartConfigElement (either as annotation or web descriptor element)
  • .getParameter() - requires:
    1. Content-Type: application/x-www-form-urlencoded - with request body encoded as such
    2. Content-Type: multipart/form-data - with request body encoded as such. (same rules as .getParts())
    3. that the content be sent as HTTP method POST or PUT
I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and I guess I'm just wondering if that's the best/only way to do it.  I'm used to doing whatever I need in the `HttpServletRequest`, not `org.eclipse.jetty.server.Request`.

This is correct, as your request didn't satisfy the above requirements it can only be accessed via HttpServletRequest.getInputStream() or HttpServletRequest.getWriter()
 
Thanks for all your help in the past.

Glad to help

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Tue, Apr 7, 2020 at 3:41 PM Glen Peterson <glen.k.peterson@xxxxxxxxx> wrote:
I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but I'm having trouble accepting reports with a Java/Jetty server.

The request I'm trying to process looks like this (in Chrome dev tools):

Request Headers:
:authority: myServer
:method: POST
:path: /somePath
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es;q=0.8
cache-control: no-cache
content-length: 685
content-type: application/csp-report
cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689; Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781
origin: https://myServer
pragma: no-cache
referer: https://myServer/anotherPath
sec-fetch-dest: report
sec-fetch-mode: no-cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Request Payload:
{"csp-report":{"document-uri":"https://myServer/anotherPath","referrer":"https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src 'self';script-src 'self' stackpath.bootstrapcdn.com code.jquery.com cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval' 'unsafe-inline';report-uri CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":"https://myServer/anotherPath","status-code":0,"script-sample":""}}

Question:
What's this "Payload" thing and how am I supposed access it in Java?  If I call `request.getParts()` on the HttpServletRequest, I get:

javax.servlet.ServletException: Unsupported Content-Type [application/csp-report], expected [multipart/form-data]
at org.eclipse.jetty.server.Request.getParts(Request.java:2309)

I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and I guess I'm just wondering if that's the best/only way to do it.  I'm used to doing whatever I need in the `HttpServletRequest`, not `org.eclipse.jetty.server.Request`.

Thanks for all your help in the past.

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top