I'm adding CSP[1] to my HTML pages because OWASP recommends it[2], but I'm having trouble accepting reports with a Java/Jetty server.
The request I'm trying to process looks like this (in Chrome dev tools):
Request Headers:
:authority: myServer
:method: POST
:path: /somePath
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es;q=0.8
cache-control: no-cache
content-length: 685
content-type: application/csp-report
cookie: __cfduid=db5826e6e52efde6f19240e64885648011584136689; Hoshin=XfWP9dfo8V2sN4a9iqz2EAkhQfLKo8Lz_109781
origin:
https://myServerpragma: no-cache
referer:
https://myServer/anotherPathsec-fetch-dest: report
sec-fetch-mode: no-cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Request Payload:
{"csp-report":{"document-uri":"
https://myServer/anotherPath","referrer":"
https://myServer/yetAnotherPath","violated-directive":"style-src-attr","effective-directive":"style-src-attr","original-policy":"default-src 'self';script-src 'self'
stackpath.bootstrapcdn.com code.jquery.com cdn.jsdelivr.net cdnjs.cloudflare.com 'unsafe-eval' 'unsafe-inline';report-uri CspReport.act;","disposition":"report","blocked-uri":"inline","line-number":173,"source-file":"
https://myServer/anotherPath","status-code":0,"script-sample":""}}
Question:
What's this "Payload" thing and how am I supposed access it in Java? If I call `request.getParts()` on the HttpServletRequest, I get:
javax.servlet.ServletException: Unsupported Content-Type [application/csp-report], expected [multipart/form-data]
at org.eclipse.jetty.server.Request.getParts(Request.java:2309)
I can access the "Payload" using Jetty's `baseRequest.getInputStream()` and I guess I'm just wondering if that's the best/only way to do it. I'm used to doing whatever I need in the `HttpServletRequest`, not `org.eclipse.jetty.server.Request`.
Thanks for all your help in the past.
Notes:
--
Glen K. Peterson
(828) 393-0081
_______________________________________________