访问发布到 ASP.Net 的内容安全策略违规报告
Accessing Content Security Policy violation reports posted to ASP.Net
例如,如果您有像这样的 CSP
default-src 'self'; report-uri /CspViolationReport
如果 /CspViolationReport
由 ASP.Net 处理,您如何访问发布的 CSP 违规报告?
我们希望找到一些 JSON 发布的内容,例如http://www.w3.org/TR/CSP11/#example-violation-report
当您检查 Request.Form
时,没有密钥,Request.ServerVariables["ALL_RAW"]
中也没有任何证据,但 Request.ServerVariables["HTTP_METHOD"]
是 "POST"。
用Fiddler截取POST,可以看到JSON肯定是贴出来的,但是.Net好像不让你看
这是一种受 http://muaz-khan.blogspot.co.nz/2012/06/exploring-csp-content-security-policy.html 启发的方法,谢谢!
void ProcessCspValidationReport() {
Request.InputStream.Position = 0;
using (StreamReader inputStream = new StreamReader(Request.InputStream))
{
string s = inputStream.ReadToEnd();
if (!string.IsNullOrWhiteSpace(s))
{
CspPost cspPost = JsonConvert.DeserializeObject<CspPost>(s);
//now you can access properties of cspPost.CspReport
}
}
}
class CspPost
{
[JsonProperty("csp-report")]
public CspReport CspReport { get; set; }
}
class CspReport
{
[JsonProperty("document-uri")]
public string DocumentUri { get; set; }
[JsonProperty("referrer")]
public string Referrer { get; set; }
[JsonProperty("effective-directive")]
public string EffectiveDirective { get; set; }
[JsonProperty("violated-directive")]
public string ViolatedDirective { get; set; }
[JsonProperty("original-policy")]
public string OriginalPolicy { get; set; }
[JsonProperty("blocked-uri")]
public string BlockedUri { get; set; }
[JsonProperty("source-file")]
public string SourceFile { get; set; }
[JsonProperty("line-number")]
public int LineNumber { get; set; }
[JsonProperty("column-number")]
public int ColumnNumber { get; set; }
[JsonProperty("status-code")]
public string StatusCode { get; set; }
}
这是使用 DataContractJsonSerializer
的一个,它位于命名空间 System.Runtime.Serialization
和 System.Runtime.Serialization.Json
中,不需要其他库,它都在 .NET Framework 中。
控制器:
public class ReportingController : Controller
{
[HttpPost]
public void CspReport()
{
var context = System.Web.HttpContext.Current;
context.Response.ContentType = "application/json";
context.Response.ContentEncoding = Encoding.UTF8;
using (IO.Stream body = context.Request.InputStream) {
var ser = new DataContractJsonSerializer(typeof(CspReportContainer));
var report = (CspReportContainer)ser.ReadObject(body);
ReportingControllerHelper.LogCspReport(report.Report);
}
}
}
型号:
[DataContract()]
public class CspReportContainer
{
[DataMember(Name = "csp-report")]
public CspReport Report { get; set; }
}
[DataContract()]
public class CspReport
{
[DataMember(Name = "blocked-uri")]
public string BlockedUri { get; set; }
[DataMember(Name = "column-number")]
public int? ColumnNumber { get; set; }
[DataMember(Name = "document-uri")]
public string DocumentUri { get; set; }
[DataMember(Name = "effective-directive")]
public string EffectiveDirective { get; set; }
[DataMember(Name = "line-number")]
public int? LineNumber { get; set; }
[DataMember(Name = "original-policy")]
public string OriginalPolicy { get; set; }
[DataMember(Name = "referrer")]
public string Referrer { get; set; }
[DataMember(Name = "source-file")]
public string SourceFile { get; set; }
[DataMember(Name = "status-code")]
public int? StatusCode { get; set; }
[DataMember(Name = "violated-directive")]
public string ViolatedDirective { get; set; }
}
问题可能与请求的内容类型有关:application/csp-report。它不是:application/json。我刚刚添加到 WebApiConfig:
config.Formatters.JsonFormatter.SupportedMediaTypes.Add(
new System.Net.Http.Headers.MediaTypeHeaderValue("application/csp-report"));
当然你还需要其他答案的类:CspReportContainer、CspReport
例如,如果您有像这样的 CSP
default-src 'self'; report-uri /CspViolationReport
如果 /CspViolationReport
由 ASP.Net 处理,您如何访问发布的 CSP 违规报告?
我们希望找到一些 JSON 发布的内容,例如http://www.w3.org/TR/CSP11/#example-violation-report
当您检查 Request.Form
时,没有密钥,Request.ServerVariables["ALL_RAW"]
中也没有任何证据,但 Request.ServerVariables["HTTP_METHOD"]
是 "POST"。
用Fiddler截取POST,可以看到JSON肯定是贴出来的,但是.Net好像不让你看
这是一种受 http://muaz-khan.blogspot.co.nz/2012/06/exploring-csp-content-security-policy.html 启发的方法,谢谢!
void ProcessCspValidationReport() {
Request.InputStream.Position = 0;
using (StreamReader inputStream = new StreamReader(Request.InputStream))
{
string s = inputStream.ReadToEnd();
if (!string.IsNullOrWhiteSpace(s))
{
CspPost cspPost = JsonConvert.DeserializeObject<CspPost>(s);
//now you can access properties of cspPost.CspReport
}
}
}
class CspPost
{
[JsonProperty("csp-report")]
public CspReport CspReport { get; set; }
}
class CspReport
{
[JsonProperty("document-uri")]
public string DocumentUri { get; set; }
[JsonProperty("referrer")]
public string Referrer { get; set; }
[JsonProperty("effective-directive")]
public string EffectiveDirective { get; set; }
[JsonProperty("violated-directive")]
public string ViolatedDirective { get; set; }
[JsonProperty("original-policy")]
public string OriginalPolicy { get; set; }
[JsonProperty("blocked-uri")]
public string BlockedUri { get; set; }
[JsonProperty("source-file")]
public string SourceFile { get; set; }
[JsonProperty("line-number")]
public int LineNumber { get; set; }
[JsonProperty("column-number")]
public int ColumnNumber { get; set; }
[JsonProperty("status-code")]
public string StatusCode { get; set; }
}
这是使用 DataContractJsonSerializer
的一个,它位于命名空间 System.Runtime.Serialization
和 System.Runtime.Serialization.Json
中,不需要其他库,它都在 .NET Framework 中。
控制器:
public class ReportingController : Controller
{
[HttpPost]
public void CspReport()
{
var context = System.Web.HttpContext.Current;
context.Response.ContentType = "application/json";
context.Response.ContentEncoding = Encoding.UTF8;
using (IO.Stream body = context.Request.InputStream) {
var ser = new DataContractJsonSerializer(typeof(CspReportContainer));
var report = (CspReportContainer)ser.ReadObject(body);
ReportingControllerHelper.LogCspReport(report.Report);
}
}
}
型号:
[DataContract()]
public class CspReportContainer
{
[DataMember(Name = "csp-report")]
public CspReport Report { get; set; }
}
[DataContract()]
public class CspReport
{
[DataMember(Name = "blocked-uri")]
public string BlockedUri { get; set; }
[DataMember(Name = "column-number")]
public int? ColumnNumber { get; set; }
[DataMember(Name = "document-uri")]
public string DocumentUri { get; set; }
[DataMember(Name = "effective-directive")]
public string EffectiveDirective { get; set; }
[DataMember(Name = "line-number")]
public int? LineNumber { get; set; }
[DataMember(Name = "original-policy")]
public string OriginalPolicy { get; set; }
[DataMember(Name = "referrer")]
public string Referrer { get; set; }
[DataMember(Name = "source-file")]
public string SourceFile { get; set; }
[DataMember(Name = "status-code")]
public int? StatusCode { get; set; }
[DataMember(Name = "violated-directive")]
public string ViolatedDirective { get; set; }
}
问题可能与请求的内容类型有关:application/csp-report。它不是:application/json。我刚刚添加到 WebApiConfig:
config.Formatters.JsonFormatter.SupportedMediaTypes.Add(
new System.Net.Http.Headers.MediaTypeHeaderValue("application/csp-report"));
当然你还需要其他答案的类:CspReportContainer、CspReport