Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Type: application/csp-report [improvement Request] #1024

Closed
zaterio opened this Issue Jun 1, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@zaterio
Copy link

zaterio commented Jun 1, 2017

Thanks for the excellent work and the new improvements!!

I am capturing CSP reports via eve. However, the specification is not evenly adopted among the User-Agents.
For example some user-agents (Safari, Chrome) makes posts with: Content-Type: application/csp-report, In this case eve responds:

{"_status": "ERR", "_error": {"message": "Unknown or no Content-Type header supplied", "code": 400}}

(Not allowed in eve/methods/common.py )

In other cases, the user agents post with: Content-Type: application/json, and eve responds with 201.

MDN specification indicates that the format for csp reports is always json.

I would like to request the improvement, which allows the content-type "application/csp-report" to be treated such as "application/json", in eve/methods/common.py.

Regards.

Ref: twitter/secure_headers#79

@nicolaiarocci

This comment has been minimized.

Copy link
Member

nicolaiarocci commented Jun 3, 2017

Hello, this is an interesting use case, thanks for bringing it up. It is not hard to implement support for additional request content types. Maybe, instead of hard coding it on this line, we could do something similar to what we already do when we deal with response types (see here).

@Martin456

This comment has been minimized.

Copy link
Contributor

Martin456 commented Jun 3, 2017

I think it might be beneficial to get supported types to the config file, so it can easily support also vendor specific json types (https://en.wikipedia.org/wiki/Media_type#Vendor_tree).

@nicolaiarocci

This comment has been minimized.

Copy link
Member

nicolaiarocci commented Jun 6, 2017

@zaterio does the response need to match the request type (application/csp-report) or will application/json be fine as well?

@Martin456 agreed.

@nicolaiarocci nicolaiarocci added this to the 0.8 milestone Jun 6, 2017

nicolaiarocci added a commit that referenced this issue Jun 6, 2017

New: JSON_REQUEST_CONTENT_TYPES
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.
@nicolaiarocci

This comment has been minimized.

Copy link
Member

nicolaiarocci commented Jun 6, 2017

I pushed support for JSON_REQUEST_CONTENT_TYPES to a side branch, see commit above. I would love some feedback from you guys.

nicolaiarocci added a commit that referenced this issue Jun 6, 2017

New: JSON_REQUEST_CONTENT_TYPES
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.

nicolaiarocci added a commit that referenced this issue Jun 7, 2017

New: JSON_REQUEST_CONTENT_TYPES
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.

nicolaiarocci added a commit that referenced this issue Jun 7, 2017

nicolaiarocci added a commit that referenced this issue Jun 7, 2017

New: JSON_REQUEST_CONTENT_TYPES
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.

nicolaiarocci added a commit that referenced this issue Jun 7, 2017

nicolaiarocci added a commit that referenced this issue Jan 27, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.