mikemaccana
mikemaccana

Reputation: 123510

What should I do if I get an empty CSP violation?

I use Content Security Policy. I get genuinely useful warnings like this:

CSP violation! 
{ 'csp-report':
    { 'document-uri': 'about:blank',
        referrer: '',
        'violated-directive': 'img-src \'self\' data: pbs.twimg.com syndication.twitter.com p.typekit.net',
        'original-policy': 'longPolicyGoesHere',
        'blocked-uri': 'https://platform.twitter.com',
        'source-file': 'https://platform.twitter.com',
        'line-number': 2 } }

Cool, I need to add 'platform.twitter.com' as an img-src

But sometimes I get blank CSP warnings like this:

CSP violation! 
{}

Ie, there's been a POST, but the JSON is empty. What do I do?

Upvotes: 3

Views: 760

Answers (1)

David Spector
David Spector

Reputation: 1677

I found the problem in my case; it might not be the problem for you.

Since the CSP reporter calls the report-uri file with the POST method, I assumed that the $_POST variable would contain the posted data. This turned out to be false, because the data was not sent from a form or file upload (see PHP "php://input" vs $_POST).

The following code works for me perfectly (thanks to inspiration by the slightly buggy code in https://mathiasbynens.be/notes/csp-reports):

<?php
// Receive and log Content-Security-Policy report

// (WriteLog function omitted here: it just writes text into a log file)

$data=file_get_contents('php://input');
if (!$data) // Data is usually non-empty
    exit(0);

// Prettify the JSON-formatted data.
$val=json_decode($data);
$data = json_encode($val,JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
WriteLog($data);
?>

Upvotes: 1

Related Questions