Content Security Policy Violation logging
Content Security Policy (CSP) is a feature that allows the configuration of which resources can be loaded by the browser. The primary goal of CSP is to mitigate and detect Cross Site Scripting.
To upgrade your configuration with CSP, as a first step, it is recommended to enable the reporting feature of CSP. The CSP reporting can also help in troubleshooting your CSP-related issues.
To make the clients send their CSP violations back to nevisProxy, you need to add the CSP Reporting related response headers and a LuaFilter to receive the report.
The following sample configuration contains both of them:
<!-- ********** filters ************** -->
<!-- ********************************* -->
<filter>
<filter-name>CSPHeader</filter-name>
<filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class>
<init-param>
<param-name>DelegateToFrontend</param-name>
<param-value>
Content-Security-Policy-Report-Only:CONST:default-src 'self';; CONST:report-uri /collector.cgi?uri;; CONST:report-to ep1
Reporting-Endpoints:CONST:ep1="https://<your-nevisProxy's-frontend-side-address>/collector.cgi?to"
</param-value>
</init-param>
</filter>
<filter>
<filter-name>CSPReportCollector</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<init-param>
<param-name>Script.InputHeaderFunctionName</param-name>
<param-value>inputHeader</param-value>
</init-param>
<init-param>
<param-name>Script.InputFunctionName</param-name>
<param-value>input</param-value>
</init-param>
<init-param>
<param-name>Script</param-name>
<param-value>
function inputHeader(req, res)
res:setBody('')
res:send(200)
end
function input(req, res, chunk)
if chunk ~= nil then
trace = req:getTracer()
trace:notice('CSP-Report (report-'..req:getQuery()..'): '..chunk)
end
end
</param-value>
</init-param>
</filter>
<!-- ********** filter mapping ************** -->
<!-- **************************************** -->
<filter-mapping>
<filter-name>CSPHeader</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSPReportCollector</filter-name>
<url-pattern>/collector.cgi</url-pattern>
</filter-mapping>
The example above creates the following log entries in navajo.log when a CSP violation occurs:
IW4LuaFlt ... 5-NOTICE: CSP-Report (report-uri): {"csp-report":{"blocked-uri":"https://code.jquery.com/jquery-3.6.4.min.js","document-uri":"http://<frontend-address>/","original-policy":"default-src 'self'; report-uri http://<frontend-address>/collector.cgi?uri","referrer":"","violated-directive":"default-src"}}
or
IW4LuaFlt ... 5-NOTICE: CSP-Report (report-to): [{"age":11647,"body":{"blockedURL":"https://code.jquery.com/jquery-3.6.4.min.js","disposition":"report","documentURL":"https://<frontend-address>/","effectiveDirective":"script-src-elem","originalPolicy":"default-src 'self'; report-uri /collector.cgi?uri; report-to ep1","referrer":"","sample":"","statusCode":200},"type":"csp-violation","url":"https://<frontend-address>/","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"}]
depending on what directive the browser support.