【发布时间】:2020-08-31 07:23:52
【问题描述】:
我已将内容安全策略添加到我的网站,并使用 AWS API Gateway、Lambda 和 DynamoDB 创建了一个报告 uri 端点。我已经使用以下 JSON 使用 Postman 对其进行了测试
{
"resource": "/",
"path": "/",
"requestContext": {
"resourcePath": "/",
"httpMethod": "POST",
"path": "/latest"
},
"headers": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"accept-encoding": "gzip, deflate, br",
"Host": "70ixmpl4fl.execute-api.us-east-2.amazonaws.com",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36",
"X-Amzn-Trace-Id": "Root=1-5e66d96f-7491f09xmpl79d18acf3d050"
},
"multiValueHeaders": {
"accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"accept-encoding": [
"gzip, deflate, br"
]
},
"queryStringParameters": null,
"multiValueQueryStringParameters": null,
"pathParameters": null,
"stageVariables": null,
"body": {
"csp-report": {
"document-uri": "https://example.com/signup.html",
"referrer": "",
"blocked-uri": "https://example.com/css/style.css",
"violated-directive": "style-src cdn.example.com",
"original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
}
},
"isBase64Encoded": false
}
使用 Postman 时似乎可以正常工作。但是,当我将端点添加到我的内容安全策略并试图违反该策略时,我似乎无法让它正确报告。
上面的 JSON 是否充分展示了真正的 CSP 违规情况? 我环顾四周,并没有看到太多关于开发自己的端点的信息。非常感谢任何资源或其他建议。
【问题讨论】:
-
“我似乎无法正确报告” - 请更具体。
标签: json security post postman content-security-policy