Exemple #1
0
        public void Add(CSPReport cspReport, InterpretBlank blankIs)
        {
            if (!(cspReport.cspReport.blockedUri == null ||
                  cspReport.cspReport.documentUri == null ||
                  (cspReport.cspReport.violatedDirective == null && cspReport.cspReport.effectiveDirective == null)))
            {
                string documentUri       = cspReport.cspReport.documentUri;
                string documentUriOrigin = UriOrigin(documentUri);
                string directive         = cspReport.cspReport.effectiveDirective == null ? cspReport.cspReport.violatedDirective : cspReport.cspReport.effectiveDirective;
                string blockedUri        = cspReport.cspReport.blockedUri;
                if (blockedUri.Trim().Length == 0)
                {
                    // How to handle unsafe-eval? Might require a different report-uri and rule set.
                    blockedUri = blankIs == InterpretBlank.UnsafeInline ? "'unsafe-inline'" : "'unsafe-eval'";
                }
                else if (blockedUri.IndexOf(":") >= 0)
                {
                    blockedUri = UriWrtDocumentUri(UriOrigin(blockedUri), documentUriOrigin);
                }
                else if (blockedUri == "self") // Firefox can return self as the blocked-uri.
                {
                    blockedUri = "'self'";
                }
                else
                {
                    // Report can give out schemes with no delimiters or anything else.
                    blockedUri = blockedUri + ":";
                }

                // directive may be script-src or script-src none. We want just the first part.
                directive = directive.Split(' ')[0];

                cacheLock.EnterWriteLock();
                try
                {
                    if (!rules.Keys.Contains(documentUri))
                    {
                        rules.Add(documentUri, new Dictionary <string, HashSet <string> >());
                    }
                    if (!rules[documentUri].Keys.Contains(directive))
                    {
                        rules[documentUri].Add(directive, new HashSet <string>());
                    }
                    rules[documentUri][directive].Add(blockedUri);
                }
                finally
                {
                    cacheLock.ExitWriteLock();
                }

                OnRuleAddedOrModified.Invoke(documentUri, Get(documentUri));
            }
            else
            {
                FiddlerExtension.Log("FiddlerCSP: Invalid cspreport: " + cspReport);
            }
        }
Exemple #2
0
 public static CSPReport TryParse(Stream postData)
 {
     try
     {
         return((CSPReport) new DataContractJsonSerializer(typeof(CSPReport)).ReadObject(postData));
     }
     catch (Exception e)
     {
         string postDataAsString = new StreamReader(postData).ReadToEnd();
         FiddlerExtension.Log("FiddlerCSP: Error parsing CSP report JSON: " + e + " for JSON: " + postDataAsString);
         return(null);
     }
 }