Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Type: application/csp-report [improvement Request] #1024

Closed
zaterio opened this issue Jun 1, 2017 · 4 comments
Closed

Content-Type: application/csp-report [improvement Request] #1024

zaterio opened this issue Jun 1, 2017 · 4 comments
Milestone

Comments

@zaterio
Copy link

@zaterio zaterio commented Jun 1, 2017

Thanks for the excellent work and the new improvements!!

I am capturing CSP reports via eve. However, the specification is not evenly adopted among the User-Agents.
For example some user-agents (Safari, Chrome) makes posts with: Content-Type: application/csp-report, In this case eve responds:

{"_status": "ERR", "_error": {"message": "Unknown or no Content-Type header supplied", "code": 400}}

(Not allowed in eve/methods/common.py )

In other cases, the user agents post with: Content-Type: application/json, and eve responds with 201.

MDN specification indicates that the format for csp reports is always json.

I would like to request the improvement, which allows the content-type "application/csp-report" to be treated such as "application/json", in eve/methods/common.py.

Regards.

Ref: github/secure_headers#79

@nicolaiarocci
Copy link
Member

@nicolaiarocci nicolaiarocci commented Jun 3, 2017

Hello, this is an interesting use case, thanks for bringing it up. It is not hard to implement support for additional request content types. Maybe, instead of hard coding it on this line, we could do something similar to what we already do when we deal with response types (see here).

Loading

@Martin456
Copy link
Contributor

@Martin456 Martin456 commented Jun 3, 2017

I think it might be beneficial to get supported types to the config file, so it can easily support also vendor specific json types (https://en.wikipedia.org/wiki/Media_type#Vendor_tree).

Loading

@nicolaiarocci
Copy link
Member

@nicolaiarocci nicolaiarocci commented Jun 6, 2017

@zaterio does the response need to match the request type (application/csp-report) or will application/json be fine as well?

@Martin456 agreed.

Loading

@nicolaiarocci nicolaiarocci added this to the 0.8 milestone Jun 6, 2017
nicolaiarocci added a commit that referenced this issue Jun 6, 2017
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.
@nicolaiarocci
Copy link
Member

@nicolaiarocci nicolaiarocci commented Jun 6, 2017

I pushed support for JSON_REQUEST_CONTENT_TYPES to a side branch, see commit above. I would love some feedback from you guys.

Loading

nicolaiarocci added a commit that referenced this issue Jun 6, 2017
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.
nicolaiarocci added a commit that referenced this issue Jun 7, 2017
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.
nicolaiarocci added a commit that referenced this issue Jun 7, 2017
This setting defaults to ['application/json']. Useful for supporting
vendor-specific Content-Type headers. Responses will still carry
application/json.

Closes #1024.
nicolaiarocci added a commit that referenced this issue Jan 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants