private void ProcessCSPReport(Session session)
{
string requestBody = session.GetRequestBodyAsString();
if (requestBody.Length > 0)
{
try
{
CSPReport cspReport = CSPReport.Parse(requestBody);
if (cspReport.cspReport != null && cspReport.cspReport.documentUri != null)
{
logger.Log("Got report for " + cspReport.cspReport.documentUri + " via " + session.fullUrl);
}
logger.Log("Adding " + cspReport.ToString());
collector.Add(cspReport, session.PathAndQuery == "/unsafe-eval" ?
CSPRuleCollector.InterpretBlank.UnsafeEval : CSPRuleCollector.InterpretBlank.UnsafeInline);
logger.Log("Total " + collector.ToString());
}
catch (Exception exception)
{
logger.Log("Invalid CSP - " + exception);
}
}
}
public void AutoTamperRequestBefore(Session session)
{
if (!Settings.enabled)
{
return;
}
if (!session.HostnameIs(reportHost) || session.isFTP)
{
return;
}
// TODO: We should offer an option to hide the reports from Fiddler; change "ui-strikeout" to "ui-hide" in the next line
session["ui-strikeout"] = "CSPReportGenerator";
if (session.HTTPMethodIs("CONNECT"))
{
session["x-replywithtunnel"] = "CSPReportGenerator";
return;
}
session.utilCreateResponseAndBypassServer();
session.oResponse.headers.Add("Content-Type", "text/html");
session.ResponseBody = Encoding.UTF8.GetBytes("<!doctype html><HTML><BODY><H1>Report received. Thanks. You're the best.</H1></BODY></HTML>");
string requestBody = session.GetRequestBodyAsString();
if (requestBody.Length > 0)
{
try
{
CSPReport cspReport = CSPReport.Parse(requestBody);
if (cspReport.cspReport != null && cspReport.cspReport.documentUri != null)
{
logger.Log("Got report for " + cspReport.cspReport.documentUri + " via " + session.fullUrl);
}
logger.Log("Adding " + cspReport.ToString());
collector.Add(cspReport, session.PathAndQuery == "/unsafe-eval" ?
CSPRuleCollector.InterpretBlank.UnsafeEval : CSPRuleCollector.InterpretBlank.UnsafeInline);
logger.Log("Total " + collector.ToString());
}
catch (Exception exception)
{
logger.Log("Invalid CSP - " + exception);
}
}
}
private void ValidateCSPReportSet(
string documentUri,
string expectedCsp,
string[] cspReportsUnsafeInline,
string[] cspReportsUnsafeEval)
{
CSPRuleCollector collector = new CSPRuleCollector(logger);
foreach (var cspReport in cspReportsUnsafeInline.Select(cspReportAsString => CSPReport.Parse(cspReportAsString)))
{
collector.Add(cspReport, CSPRuleCollector.InterpretBlank.UnsafeInline);
}
foreach (var cspReport in cspReportsUnsafeEval.Select(cspReportAsString => CSPReport.Parse(cspReportAsString)))
{
collector.Add(cspReport, CSPRuleCollector.InterpretBlank.UnsafeEval);
}
Assert.AreEqual(collector.Get(documentUri), expectedCsp);
}