wordpresscontent-security-policywordpress-rest-api

cannot retrieve csp-report request body from report-uri

I’ve tried to follow mozilla guide lines for setting up report-uri in CSP-Report-Only mode. My CSP:

function add_csp_header() {
    header("Content-Security-Policy-Report-Only: 
    report-uri ".get_bloginfo('url')."/csp-endpoint;
    script-src 'self'");
    //some more, since only one header is rejected
    }
add_action('send_headers', 'add_csp_header',10);

The csp-endpoint file at the root is:

Report-To: { "group": "csp-endpoint",
      "max_age": 10886400,
      "endpoints": [
        { "url": "http://localhost:8888/wordpress/csp-endpoint" }
      ] }

And finally i have, also in the root directory, csp-report (a simple text file).

The console reports:

...some csp violation... a report is being sent

POST > http://localhost:8888/wordpress/csp-endpoint
Status 200 OK
VersionHTTP/1.1
transmitted 762 B (194 B size)
//many headers and also
special request header
Content-Type: application/csp-report

This is the important part:

Request:
csp-report*** //the data that i want to retrieve

and finally the response:

Response:
Report-To: { "group": "csp-endpoint",
      "max_age": 10886400,
      "endpoints": [
        { "url": "http://localhost:8888/wordpress/csp-endpoint" }
      ] }

I tried to establish a rest_api custom endpoint, listening to posts from the browser, i therefore assume the method has to be 'GET':

function test_csp_route() {
   register_rest_route( 'csp/v2', '/csp-endpoint', array(
   'methods'  => 'GET',
   'callback' => 'load_request',
   'permission_callback' => '__return_true',
   ) );
 }
 add_action( 'rest_api_init', 'test_csp_route' );

I added this callback, but i retrieves the response body and i am aiming at the request body that contains the csp-report***:

function load_request() {
  $url = get_bloginfo('url').'/csp-endpoint';
  // Send remote request
  $request = wp_remote_get($url);
  // Retrieve information
  $response_code = wp_remote_retrieve_response_code($request);
  $response_message =   wp_remote_retrieve_response_message($request);
  $response_body = wp_remote_retrieve_body($request);


if (!is_wp_error($request) ) {
   return new WP_REST_Response(
    array(
    'status' => $response_code,
    'response' => $response_message,
    'body_response' => $response_body,
    )
  );
} else {
  return new WP_Error($response_code, $response_message,    $response_body);
 }
}

How can i retrieve the csp-report*** (see above) present in the request body and send the json to a file? Is the detour via rest_api really applying or is there a direct method to retrieve the request body?

This is rather complicated stuff. If you have the time and energy to provide an answer, that would be much appreciated. thanks for the patience.

Solution

  • Essentially there should be an endpoint listening to receive CSP error reports. In WordPress you can create a REST API endpoint using the rest_api_init hook to handle CSP reports. Docs are here https://developer.wordpress.org/reference/hooks/rest_api_init/.

    The report data that receive via the endpoint can be logged to a file in this case could be the file you created csp-reports

    This requires some minimal coding and understanding of the workings of web applications.

    Hope this will help you!