New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add content-type application/xss-auditor-report #1243

merged 1 commit into from Dec 3, 2018


None yet
3 participants
Copy link

theMiddleBlue commented Nov 22, 2018

As done for CSP (#1242) When X-Xss-Protection header is configured with a self-referenced report URI (ex. report-uri /xss-report.php) the browser sends a POST request with Content-Type: application/xss-auditor-report that is blocked by CRS rule 920420: Request content type is not allowed by policy.

I've added the application/xss-auditor-report in:
crs-setup.conf.example on rule 900200
rules/REQUEST-901-INITIALIZATION.conf on rule 901162


This comment has been minimized.

Copy link

franbuehler commented Dec 3, 2018

Looks good. Can be merged.


This comment has been minimized.

Copy link

dune73 commented Dec 3, 2018

Thank you @theMiddleBlue.

@dune73 dune73 merged commit c3ce5a0 into SpiderLabs:v3.2/dev Dec 3, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment