堆栈内存溢出
  简体   繁体   English

如何测试 CSP 报告 uri 端点?

[英]How can I test a CSP report-uri endpoint?

 原文  2020-05-14 16:44:25       json/ security/ post/ postman/ content-security-policy

问题描述

I've added a Content Security Policy to my website and made a report-uri endpoint with AWS API Gateway, Lambda, and DynamoDB.我已向我的网站添加了内容安全策略,并使用 AWS API 网关、Lambda 和 DynamoDB 创建了一个报告 uri 端点。 I've tested it with Postman using the following JSON我已经使用 Postman 使用以下 JSON 对其进行了测试

{
      "resource": "/",
      "path": "/",
      "requestContext": {
        "resourcePath": "/",
        "httpMethod": "POST",
        "path": "/latest"
      },
      "headers": {
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "accept-encoding": "gzip, deflate, br",
        "Host": "70ixmpl4fl.execute-api.us-east-2.amazonaws.com",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36",
        "X-Amzn-Trace-Id": "Root=1-5e66d96f-7491f09xmpl79d18acf3d050"
      },
      "multiValueHeaders": {
        "accept": [
          "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
        ],
        "accept-encoding": [
          "gzip, deflate, br"
        ]
      },
      "queryStringParameters": null,
      "multiValueQueryStringParameters": null,
      "pathParameters": null,
      "stageVariables": null,
      "body": {
        "csp-report": {
          "document-uri": "https://example.com/signup.html",
          "referrer": "",
          "blocked-uri": "https://example.com/css/style.css",
          "violated-directive": "style-src cdn.example.com",
          "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
        }
      },
      "isBase64Encoded": false
    }

It seems to work properly when using Postman.使用 Postman 时似乎可以正常工作。 But when I added the endpoint to my Content Security Policy and attempt to violate the policy, I can't seem to get it to report correctly.但是,当我将端点添加到我的内容安全策略并尝试违反该策略时,我似乎无法让它正确报告。

Does the JSON above adequately demonstrate what a real CSP violation would look like?上面的 JSON 是否充分展示了真正的 CSP 违规情况? I've looked around and haven't seen much about developing your own endpoint.我环顾四周,并没有看到太多关于开发自己的端点的信息。 Any resources or other advice is greatly appreciated.非常感谢任何资源或其他建议。

1 个解决方案

解决方案1
 0  2021-06-29 17:28:18

It depends on the browser这取决于浏览器

  1. some browser sends the Json and CSP violation report some sends thec csp-report.一些浏览器发送 Json 和 CSP 违规报告,一些浏览器发送 CSP 报告。
  2. Few browser sends the request base64 encoded.很少有浏览器发送 base64 编码的请求。
  3. Specifically in chrome browser it sends base64 encoded and as Json format.特别是在 chrome 浏览器中,它发送 base64 编码和 Json 格式。 In your payload.在您的有效载荷中。

Hopefully it answers your question.希望它能回答你的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在express和bodyParser中接受app / csp-report作为json? - How to accept application/csp-report as json in express and bodyParser? 模型绑定 CSP 报告 json - Model binding CSP report json 我该如何将PUT的JSON传递到端点,然后将其POST到另一个API端点? - How can I take JSON that is PUT to an endpoint and then it POST to another API endpoint? 如何编写ServiceStack端点以接受未命名的数组? - How can I write a ServiceStack endpoint to accept an unnamed array? 如何将现有的json转换为GraphQL端点? - How can I turn this existing json into a GraphQL endpoint? 如何通过循环将JSON所有数组值作为参数传递给URI端点? - How to pass JSON all array values as a parameter to URI endpoint by looping? 我怎么能在我的json端点中的全部数据? - How can I the full data in my json endpoint? PHP中的JSON帖子(CSP-Report) - JSON Post in PHP (CSP-Report) dbt test的结果可以转换成report吗 - Can the results of dbt test be converted to report 我如何在Rails中测试我的json - How can i test my json in rails
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM