New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add content-type application/xss-auditor-report #1243

Merged
merged 1 commit into from Dec 3, 2018

Conversation

Projects
None yet
3 participants
@theMiddleBlue
Copy link
Contributor

theMiddleBlue commented Nov 22, 2018

As done for CSP (#1242) When X-Xss-Protection header is configured with a self-referenced report URI (ex. report-uri /xss-report.php) the browser sends a POST request with Content-Type: application/xss-auditor-report that is blocked by CRS rule 920420: Request content type is not allowed by policy.

I've added the application/xss-auditor-report in:
crs-setup.conf.example on rule 900200
rules/REQUEST-901-INITIALIZATION.conf on rule 901162

@franbuehler

This comment has been minimized.

Copy link
Collaborator

franbuehler commented Dec 3, 2018

Looks good. Can be merged.

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Dec 3, 2018

Thank you @theMiddleBlue.

@dune73 dune73 merged commit c3ce5a0 into SpiderLabs:v3.2/dev Dec 3, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment