Content-Type: application/csp-report [improvement Request]

[zaterio]

Thanks for the excellent work and the new improvements!!

I am capturing CSP reports via eve. However, the specification is not evenly adopted among the User-Agents.
For example some user-agents (Safari, Chrome) makes posts with: Content-Type: application/csp-report, In this case eve responds:

{"_status": "ERR", "_error": {"message": "Unknown or no Content-Type header supplied", "code": 400}}

(Not allowed in eve/methods/common.py )

In other cases, the user agents post with: Content-Type: application/json, and eve responds with 201.

MDN specification indicates that the format for csp reports is always json.

I would like to request the improvement, which allows the content-type "application/csp-report" to be treated such as "application/json", in eve/methods/common.py.

Regards.

Ref: github/secure_headers#79

[nicolaiarocci]

Hello, this is an interesting use case, thanks for bringing it up. It is not hard to implement support for additional request content types. Maybe, instead of hard coding it on this line, we could do something similar to what we already do when we deal with response types (see here).

[Martin456]

I think it might be beneficial to get supported types to the config file, so it can easily support also vendor specific json types (https://en.wikipedia.org/wiki/Media_type#Vendor_tree).

[nicolaiarocci]

@zaterio does the response need to match the request type (application/csp-report) or will application/json be fine as well?

@Martin456 agreed.

[nicolaiarocci]

I pushed support for JSON_REQUEST_CONTENT_TYPES to a side branch, see commit above. I would love some feedback from you guys.