Merge pull request #274 from ucdavis/srk/csp-report

Fix CSP Report
ucdavis · Sep 9, 2020 · b1707de · b1707de
2 parents 6392faa + d0dd0e7
commit b1707de
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/src/Payments.Mvc/Controllers/HomeController.cs b/src/Payments.Mvc/Controllers/HomeController.cs
@@ -123,9 +123,11 @@ public IActionResult Secure() {
         [AllowAnonymous]
         [IgnoreAntiforgeryToken]
         [Route("csp-report")]
-        public IActionResult CspReport(CspReport model)
+        public IActionResult CspReport([FromBody]CspReportRequest model)
         {
-            Log.ForContext("report", model, true).Warning("csp-report");
+            if (model.CspReport != null) {
+                Log.ForContext("report", model.CspReport, true).Warning("csp-report");
+            }
 
             return new EmptyResult();
         }

diff --git a/src/Payments.Mvc/Models/CspReport.cs b/src/Payments.Mvc/Models/CspReport.cs
@@ -5,6 +5,12 @@
 
 namespace Payments.Mvc.Models
 {
+    public class CspReportRequest
+    {
+        [Newtonsoft.Json.JsonProperty("csp-report")]
+        public CspReport CspReport { get; set; }
+    }
+
     public class CspReport
     {
         [JsonProperty("blocked-uri")]

diff --git a/src/Payments.Mvc/Startup.cs b/src/Payments.Mvc/Startup.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Threading.Tasks;
 using AspNetCore.Security.CAS;
 using Joonasw.AspNetCore.SecurityHeaders;
@@ -11,6 +12,8 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Formatters;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.AspNetCore.Routing.Constraints;
 using Microsoft.AspNetCore.SpaServices.Webpack;
@@ -118,14 +121,24 @@ public void ConfigureServices(IServiceCollection services)
             services.AddScoped<IAuthorizationHandler, VerifyTeamPermissionHandler>();
 
             // add application services
-            services.AddMvc()
+            services.AddMvc(options => {
+                // add the csp-report content type to that handled by the JsonInputFormatter
+                options
+                    .InputFormatters
+                    .Where(item => item.GetType() == typeof(JsonInputFormatter))
+                    .Cast<JsonInputFormatter>()
+                    .Single()
+                    .SupportedMediaTypes
+                    .Add("application/csp-report");
+            })
                 .AddJsonOptions((options) =>
                     {
                         options.SerializerSettings.Error += (sender, args) =>
                         {
                             Log.Logger.Warning(args.ErrorContext.Error, "JSON Serialization Error: {message}", args.ErrorContext.Error.Message);
                         };
                     });
+
             services.AddDistributedMemoryCache();
             services.AddSession();
             services.AddCsp(nonceByteAmount: 32);
@@ -259,7 +272,13 @@ public void Configure(IApplicationBuilder app,
                 c.AllowScripts
                     .From("https://www.googletagmanager.com")
                     .From("https://www.google-analytics.com");
-;
+
+                c.AllowConnections.To("https://www.google-analytics.com");
+
+                if (Environment.IsDevelopment()) {
+                    c.AllowConnections.ToSelf(); // for HMR
+                }
+
                 c.AllowImages
                     .From("https://www.google-analytics.com");