public void Add(CSPReport cspReport, InterpretBlank blankIs) { if (!(cspReport.cspReport.blockedUri == null || cspReport.cspReport.documentUri == null || (cspReport.cspReport.violatedDirective == null && cspReport.cspReport.effectiveDirective == null))) { string documentUri = cspReport.cspReport.documentUri; string documentUriOrigin = UriOrigin(documentUri); string directive = cspReport.cspReport.effectiveDirective == null ? cspReport.cspReport.violatedDirective : cspReport.cspReport.effectiveDirective; string blockedUri = cspReport.cspReport.blockedUri; if (blockedUri.Trim().Length == 0) { // How to handle unsafe-eval? Might require a different report-uri and rule set. blockedUri = blankIs == InterpretBlank.UnsafeInline ? "'unsafe-inline'" : "'unsafe-eval'"; } else if (blockedUri.IndexOf(":") >= 0) { blockedUri = UriWrtDocumentUri(UriOrigin(blockedUri), documentUriOrigin); } else if (blockedUri == "self") // Firefox can return self as the blocked-uri. { blockedUri = "'self'"; } else { // Report can give out schemes with no delimiters or anything else. blockedUri = blockedUri + ":"; } // directive may be script-src or script-src none. We want just the first part. directive = directive.Split(' ')[0]; cacheLock.EnterWriteLock(); try { if (!rules.Keys.Contains(documentUri)) { rules.Add(documentUri, new Dictionary <string, HashSet <string> >()); } if (!rules[documentUri].Keys.Contains(directive)) { rules[documentUri].Add(directive, new HashSet <string>()); } rules[documentUri][directive].Add(blockedUri); } finally { cacheLock.ExitWriteLock(); } OnRuleAddedOrModified.Invoke(documentUri, Get(documentUri)); } else { FiddlerExtension.Log("FiddlerCSP: Invalid cspreport: " + cspReport); } }
public void Add(CSPReport cspReport, InterpretBlank blankIs) { if (cspReport.cspReport.blockedUri == null) { logger.Log("Invalid CSP Report - missing blocked-uri property."); } else if (cspReport.cspReport.documentUri == null) { logger.Log("Invalid CSP Report - missing document-uri property."); } else if (cspReport.cspReport.violatedDirective == null && cspReport.cspReport.effectiveDirective == null) { logger.Log("Invalid CSP Report - missing violated-directive and effective-directive properties."); } else { string documentUri = cspReport.cspReport.documentUri; string documentUriOrigin = UriOrigin(documentUri); string directive = cspReport.cspReport.effectiveDirective == null ? cspReport.cspReport.violatedDirective : cspReport.cspReport.effectiveDirective; string blockedUri = cspReport.cspReport.blockedUri; if (blockedUri.Trim().Length == 0) { // A blank blocked-uri indicates either unsafe-inline or unsafe-eval. The caller tells us // which it is. blockedUri = blankIs == InterpretBlank.UnsafeInline ? "'unsafe-inline'" : "'unsafe-eval'"; } else if (blockedUri.IndexOf(":") >= 0) // If there's a colon, assume its a URI. { blockedUri = UriWrtDocumentUri(UriOrigin(blockedUri), documentUriOrigin); } else if (blockedUri == "self") // Firefox can return self as the blocked-uri. { blockedUri = "'self'"; } else // Lastly CSP reports may contain schemes with no delimiters just the scheme name. { blockedUri = blockedUri + ":"; } // Directive might be something like script-src or script-src none. We want just the first part. directive = directive.Split(' ')[0]; cacheLock.EnterWriteLock(); try { if (!rules.Keys.Contains(documentUri)) { rules.Add(documentUri, new Dictionary<string, HashSet<string>>()); } if (!rules[documentUri].Keys.Contains(directive)) { rules[documentUri].Add(directive, new HashSet<string>()); } rules[documentUri][directive].Add(blockedUri); } finally { cacheLock.ExitWriteLock(); } if (OnRuleAddedOrModified != null) { OnRuleAddedOrModified.Invoke(documentUri, Get(documentUri)); } } }
public void Add(CSPReport cspReport, InterpretBlank blankIs) { if (cspReport.cspReport.blockedUri == null) { logger.Log("Invalid CSP Report - missing blocked-uri property."); } else if (cspReport.cspReport.documentUri == null) { logger.Log("Invalid CSP Report - missing document-uri property."); } else if (cspReport.cspReport.violatedDirective == null && cspReport.cspReport.effectiveDirective == null) { logger.Log("Invalid CSP Report - missing violated-directive and effective-directive properties."); } else { string documentUri = cspReport.cspReport.documentUri; string documentUriOrigin = UriOrigin(documentUri); string directive = cspReport.cspReport.effectiveDirective == null ? cspReport.cspReport.violatedDirective : cspReport.cspReport.effectiveDirective; string blockedUri = cspReport.cspReport.blockedUri; if (blockedUri.Trim().Length == 0) { // A blank blocked-uri indicates either unsafe-inline or unsafe-eval. The caller tells us // which it is. blockedUri = blankIs == InterpretBlank.UnsafeInline ? "'unsafe-inline'" : "'unsafe-eval'"; } else if (blockedUri.IndexOf(":") >= 0) // If there's a colon, assume its a URI. { blockedUri = UriWrtDocumentUri(UriOrigin(blockedUri), documentUriOrigin); } else if (blockedUri == "self") // Firefox can return self as the blocked-uri. { blockedUri = "'self'"; } else // Lastly CSP reports may contain schemes with no delimiters just the scheme name. { blockedUri = blockedUri + ":"; } // Directive might be something like script-src or script-src none. We want just the first part. directive = directive.Split(' ')[0]; cacheLock.EnterWriteLock(); try { if (!rules.Keys.Contains(documentUri)) { rules.Add(documentUri, new Dictionary <string, HashSet <string> >()); } if (!rules[documentUri].Keys.Contains(directive)) { rules[documentUri].Add(directive, new HashSet <string>()); } rules[documentUri][directive].Add(blockedUri); } finally { cacheLock.ExitWriteLock(); } if (OnRuleAddedOrModified != null) { OnRuleAddedOrModified.Invoke(documentUri, Get(documentUri)); } } }