atuttle / Taffy

:candy: The REST Web Service framework for ColdFusion and Lucee
http://taffy.io
Other
226 stars 118 forks source link

Add CSP Support ("application/csp-report" content type) #383

Open JamoCA opened 5 years ago

JamoCA commented 5 years ago

I recently made some modifications so that I could use Taffy as an endpoint to receive Content Security Policy (CSP) violation reports.

in order to accept background posts containing a JSON header from browsers, I had to add the following requestObj.contentType override to core\api.cfc in the parseRequest method.

<cfif requestObj.contentType is "application/csp-report">
    <cfset requestObj.contentType = "application/json">
</cfif>

In the endpoint script, the JSON payload is retrieved using the HTTP Request content.

<cfset jsonData = toString(getHttpRequestData().content)>
<cfif not isJson(jsonData)>
    <cfreturn representationOf({}).withStatus(204) />
</cfif>

This has been working successfully for me, but I wonder if I did it correctly or not. There's no other way for Taffy to know how to consume a CSP report in the header without having had to hack the core api CFC, right? Is the the best way to consume CSP reports? Thanks.

jmohler1970 commented 5 years ago

Are you referring to this?

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).

JamoCA commented 5 years ago

Yes, When a CSP header "report" designation is used, the browser automatically performs an HTTP post w/JSON data of the violations using "application/csp-report" as the content type. Taffy will accept posts if the core api.cfc is updated to accept & rewrite the content type to "application/json"... otherwise Taffy doesn't identify it as a valid API request.