private void ProcessCSPReport(Session session)
{
string requestBody = session.GetRequestBodyAsString();
if (requestBody.Length > 0)
{
try
{
CSPReport cspReport = CSPReport.Parse(requestBody);
if (cspReport.cspReport != null && cspReport.cspReport.documentUri != null)
{
logger.Log("Got report for " + cspReport.cspReport.documentUri + " via " + session.fullUrl);
}
logger.Log("Adding " + cspReport.ToString());
collector.Add(cspReport, session.PathAndQuery == "/unsafe-eval" ?
CSPRuleCollector.InterpretBlank.UnsafeEval : CSPRuleCollector.InterpretBlank.UnsafeInline);
logger.Log("Total " + collector.ToString());
}
catch (Exception exception)
{
logger.Log("Invalid CSP - " + exception);
}
}
}
public void AutoTamperRequestBefore(Session session)
{
if (!Settings.enabled)
{
return;
}
if (!session.HostnameIs(reportHost) || session.isFTP)
{
return;
}
// TODO: We should offer an option to hide the reports from Fiddler; change "ui-strikeout" to "ui-hide" in the next line
session["ui-strikeout"] = "CSPReportGenerator";
if (session.HTTPMethodIs("CONNECT"))
{
session["x-replywithtunnel"] = "CSPReportGenerator";
return;
}
session.utilCreateResponseAndBypassServer();
session.oResponse.headers.Add("Content-Type", "text/html");
session.ResponseBody = Encoding.UTF8.GetBytes("<!doctype html><HTML><BODY><H1>Report received. Thanks. You're the best.</H1></BODY></HTML>");
string requestBody = session.GetRequestBodyAsString();
if (requestBody.Length > 0)
{
try
{
CSPReport cspReport = CSPReport.Parse(requestBody);
if (cspReport.cspReport != null && cspReport.cspReport.documentUri != null)
{
logger.Log("Got report for " + cspReport.cspReport.documentUri + " via " + session.fullUrl);
}
logger.Log("Adding " + cspReport.ToString());
collector.Add(cspReport, session.PathAndQuery == "/unsafe-eval" ?
CSPRuleCollector.InterpretBlank.UnsafeEval : CSPRuleCollector.InterpretBlank.UnsafeInline);
logger.Log("Total " + collector.ToString());
}
catch (Exception exception)
{
logger.Log("Invalid CSP - " + exception);
}
}
}
public void AutoTamperRequestBefore(Session session)
{
if (!session.isTunnel && !session.isFTP)
{
bool handled = false;
if (session.oRequest.host == reportHost && Settings.enabled)
{
// Not sure the best way to handle these report URI requests. They are real requests from the browser but
// only generated because of this extension. Not sure if should be hidden from Fiddler's view or marked specially.
session.utilCreateResponseAndBypassServer();
session.oResponse.headers.Add("Content-Type", "text/html");
session.ResponseBody = Encoding.UTF8.GetBytes("<!doctype html><HTML><BODY><H1>Report received. Thanks. You're the best.</H1></BODY></HTML>");
string requestBody = session.GetRequestBodyAsString();
if (requestBody != null && requestBody.Length > 0)
{
CSPReport cspReport = CSPReport.TryParse(requestBody);
if (cspReport != null && cspReport.cspReport != null && cspReport.cspReport.documentUri != null)
{
Log("Got report for " + cspReport.cspReport.documentUri);
}
Log("Adding " + cspReport.ToString());
collector.Add(cspReport, session.PathAndQuery == "/unsafe-eval" ?
CSPRuleCollector.InterpretBlank.UnsafeEval : CSPRuleCollector.InterpretBlank.UnsafeInline);
Log("Total " + collector.ToString());
handled = true;
}
}
if (!handled)
{
session.bBufferResponse = true;
}
}
}
