In order to secure assets such as scripts, styles, media on the site, the Content-Security-Policy header is used. It is handy to mitigate data injection attacks and XSS attacks among others. But once you are here, you probably know this.
The Content-Security-Policy header contains a configuration option that informs the browser where to send policy violation reports. By default, it is not set. You can configure it by adding
report-uri directive to your policy, like this:
Content-Security-Policy: default-src 'self'; report-uri https://my.server/my-page-to-collect-reports.cfm
In the example above, I’m asking the browser to send reports to
/my-page-to-collect-reports.cfm. The report itself is sent in the request body, so we should pull its contents somehow. The function that provides request data is named
GetHttpRequestData() and we want to focus on
content variable in the struct returned by this function.
content variable is provided as a byte array, so we should use toString in order to receive something more useful. Finally, because it is JSON encoded struct, we will use
Here is the sample code of the
<cfscript> reportContents = DeserializeJSON(toString(GetHttpRequestData().content)); // save report contents to the database or to the log </cfscript>
Because this page will be called by the browser, but not displayed anywhere, it is handy to save report contents to the database or log file. Such log should be reviewed regularly, to make sure that there are no blocked assets we want to allow. Especially when we add a new external JS library 🙂