我有兴趣为我的 Node.js 应用程序实施内容安全策略 (CSP)。 Mozilla 的文档相当有帮助,但我对如何启用违规报告感到困惑。我了解它们工作原理的基本前提(浏览器向指定 URL 发送 POST 请求以通知网站违规),但无法弄清楚在哪里可以找到描述 HTTP 请求中违规的 JSON 文档。也许这对于更熟悉 HTTP 规范的人来说是显而易见的。
查看 针对 CSP 的 W3C 草案,我确定 JSON 包含在 HTTP 中称为“实体正文”的部分中。我仍然不知道该实体的目的是什么(我能找到的关于此事的唯一稍微有用的页面是来自 HTTP 规范的页面)。我假设它是请求的正文。
也许更重要的是,我找不到任何方法来检索实体主体的内容。我想过使用 req.header('entity-body') 但这不起作用,因为实体不是 HTTP 标头。它是什么以及如何获取它?
(此外,我尝试查找有关如何在 Node.js 中实现 CSP 违规报告的教程,但一无所获。我确实找到了一个 PHP 的教程,但它并不是特别有用,引用了 file_get_contents('php://input ') 我在 Node.js/Express 中没有类似的东西。)
任何帮助将不胜感激。
I am interested in implementing a Content Security Policy (CSP) for my Node.js application. Mozilla's docs are rather helpful but I am stuck at how to enable violation reports. I understand the basic premise of how they work (the browser sends a POST request to the specified URL to notify the website of a violation) but could not figure out where to find the JSON document describing the violation in the HTTP request. Perhaps this would have been obvious to someone more familiar with the HTTP spec.
Looking at the W3C draft for CSP, I established that the JSON is contained in a portion of the HTTP called the "entity body". I still don't know what the purpose of the entity is (the only mildly useful page I could find on the matter was one from the HTTP spec). I am assuming it the body of the request.
Perhaps more importantly, I cannot find any way to retrieve the contents of the entity body. I thought of using req.header('entity-body') but that doesn't work as the entity is not a HTTP header. What is it and how to I fetch it?
(Additionally, I tried finding a tutorial on how to implement CSP violation reporting in Node.js and found nothing. I did find one for PHP but it wasn't particularly helpful, referencing a file_get_contents('php://input') which I don't have anything similar to in Node.js/Express.)
Any assistance would be greatly appreciated.
发布评论
评论(2)
事实证明我对事情分析过度了。您所需要做的就是为express启用
express.bodyParser()中间件,然后在POST事件处理程序中获取req.body。这将检索包含 JSON 违规报告的 HTTP 请求正文。启用中间件:
检索违规报告:
It turns out I was over-analyzing things. All you need to do is enable the
express.bodyParser()middleware for express and then fetchreq.bodyin the POST event handler. This retrieves the body of the HTTP request containing the JSON violation report.Enable middleware:
Retrieving violation report:
我在让我的
Express应用程序以 Nginx 为前端来报告csp 违规时遇到了一些困难,我从上面的答案中学到的两件事是:POSTcode> 方法而不是GET方法req.body包含报告但是,以上还不够,我一直得到空的
req.body和我找不到任何其他帖子来描述如何修复它。经过一番研究后,我发现了这篇帖子以及一个完全孤立的帖子github issue 其中dougwilson给出了将路由放置在何处的提示处理csp 报告。req.body对我来说为空的原因是因为我将csp 报告路由处理程序放置在以下配置之后:我移动了
csp 报告上面的路由处理程序,但是,我仍然不断收到空的req.body然后我在上面添加了以下csp report路由处理程序以获取req.body< 中的报告/code>在
csp 上面添加以上行后report请求处理程序,Express理解它应该解析 Content-type 为application/csp-report的请求。也许
Express默认情况下不会解析application/csp-report,并添加上面的内容为我解决了问题。我还用谷歌搜索了Express默认情况下是否解析application/csp-report,我发现了这个要点 声称Chrome发送application/csp-report而 Firefox 发送application/json(我使用的是 Chrome - 如果您遇到FF问题,您也可以包含application/json)。这就是我的
app.js中的样子。OP发布的接受答案来自
2011,我想添加一个答案来展示我如何解决这个问题 < code>2016 包含以下 Node.js、Express 和 Nginx 版本I went through some difficulties getting my
Expressapp fronted with Nginx to reportcsp violationsand the two things I learned from the above answer were:POSTmethod and notGETmethodreq.bodycontains the reportBut, the above was not sufficient and I kept getting empty
req.bodyand I could not find any other post to describe how to fix it. After some research I came across this post as well as a totally isolated github issue wheredougwilsongive hints where to put the route that handles thecsp report.The reason the
req.bodywas empty for me was because I placed thecsp reportroute handler after the following configs:I moved the
csp reportroute handler above these but, I still kept getting emptyreq.bodythen I added the following abovecsp reportroute handler to get the report inreq.bodyAfter adding the above line above
csp reportrequest handler,Expressunderstood that it should parse requests that have Content-type asapplication/csp-report.Maybe
Expressby default do not parseapplication/csp-report, and adding the above resolved the issue for me. I also googled ifExpressparsesapplication/csp-reportby default and I came across this gist claiming thatChromesendsapplication/csp-reportwhereas Firefox sendsapplication/json(and I am using Chrome - you can includeapplication/jsonalso if you face issues withFF).So this is how it looks in my
app.jsThe accepted answer posted by OP is from
2011and I thought of adding an answer to show how I resolved this issue in2016with the following versions of Node.js, Express and Nginx