asp.net核心中的csp-report端点 [英] csp-report endpoint in asp.net core
问题描述
我正在尝试在asp.net核心Web应用程序中设置CSP,并且CSP部分工作正常,当将违规发送到report-uri端点时,我可以在浏览器控制台中看到它们.
I'm trying to set up CSP in an asp.net core webapp, and the CSP part works fine, I can see the violations in the browser console as they are sent to the report-uri endpoint.
但是,我似乎无法在控制器中创建正确的方法来接收这些消息!
However, I cannot seem to create the correct method in a controller to receive these messages!
我在控制器中创建一个方法为:
I create a method in the controller as:
[HttpPost]
[AllowAnonymous]
public IActionResult UriReport(CspReportRequest request)
{
_log.LogError("CSP violation: " + request);
return Ok();
}
,它将被调用,但"request"参数始终为null.一些搜索显示,我需要使用[FromBody]属性从主体读取数据,但是一旦将其放入,就不再被调用. (CspReportRequest是一个具有与csp-report有效负载相匹配的属性的类,但它也不适用于字符串类型.)
and it will be called, but the 'request' parameter is always null. Some searching reveals that I need to use the [FromBody] attribute to read the data from the body, but once I put that in, it no longer gets called. (CspReportRequest is a class with properties matching the csp-report payload, but it doesn't work with string type either.)
因此,进一步阅读建议我为主体的发送方式为"application/csp-report"内容类型添加一个处理程序:
So further reading suggests I add a handler for the 'application/csp-report' content-type that the body is being sent as:
services.Configure<MvcOptions>(options => {
options.InputFormatters.OfType<JsonInputFormatter>().First().SupportedMediaTypes.Add(
new MediaTypeHeaderValue("application/csp-report"));
});
但这似乎没有什么不同.
But this doesn't seem to make a difference.
所以-我如何做出正确的控制器签名和/或正确的服务处理程序选项以接收数据.
So - how do I make the correct controller signature, and/or the correct service handler options to receive the data.
推荐答案
要完成此工作,需要做两件事.首先是将[FromBody]添加到您的CspReportRequest request参数 1 :
There are two things required to make this work. The first is adding [FromBody] to your CspReportRequest request parameter1:
public IActionResult UriReport([FromBody] CspReportRequest request)
没有[FromBody],JsonInputFormatter将不用于解析请求正文.但是,和 [FromBody]一起,您将开始看到415响应.
Without [FromBody], the JsonInputFormatter will not be used to parse the request body. However, with [FromBody], you're going to start seeing 415 responses.
第二件事是配置JsonInputFormatter以支持您已经尝试做的application/csp-report媒体类型.您的方法的问题在于,实际上配置了First()更改为Last() 2 ,它应该可以工作.
The second thing is configuring the JsonInputFormatter to support the application/csp-report media-type, which you've already attempted to do. The problem with your approach is that there are actually two instances of JsonInputFormatter configured, and you're affecting the wrong one. If you just change from First() to Last()2, it should work.
为什么?集合中的第一个JsonInputFormatter实际上是
Why? The first JsonInputFormatter in the collection is actually an instance of JsonPatchInputFormatter, which extends JsonInputFormatter:
public class JsonPatchInputFormatter : JsonInputFormatter
这是第一个添加的,因此它是您要配置的.它不能处理CspReportRequest的实例,因为它具有有关处理JsonPatchDocument<T>等的特定规则,因此它会传递到第二个JsonInputFormatter.如前所述,第二个实例未配置为支持application/csp-report,因此它也无法处理请求.
This gets added first and so it's the one you're configuring. It can't process an instance of CspReportRequest because it has specific rules about handling JsonPatchDocument<T>, etc, so it passes on to the second JsonInputFormatter. This second instance isn't configured to support application/csp-report, as I've mentioned, so it also can't handle the request.
1 如果您使用的是[ApiController],则不需要使用[FromBody],但是问题中的所有内容都表明您没有使用[ApiController].
1 If you're using [ApiController], you won't need to use [FromBody], but everything from your question suggests that you're not using [ApiController].
2 使用Last()代替First()不一定是这里的最佳方法,但是它应该证明问题出在哪里.有很多方法可以获取您感兴趣的特定JsonInputFormatter.
2 Using Last() instead of First() isn't necessarily the best approach here, but it should demonstrate where the problem lies. There are many ways to get the specific JsonInputFormatter you are interested in.
这篇关于asp.net核心中的csp-report端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
