Bug 548193 - Make CSP send reports as JSON, r=sicking
authorBrandon Sterne <bsterne@mozilla.com>
Thu, 27 May 2010 09:07:36 -0700
changeset 42868 6ec180ff146f600eef3f2586a69b2f06e930bcf9
parent 42867 35e53877db8f48d64fe3a8fcb2cd5663c0821441
child 42869 373675ded1805ff895c63837786fee0d3f449cc1
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewerssicking
bugs548193
milestone1.9.3a5pre
Bug 548193 - Make CSP send reports as JSON, r=sicking
content/base/src/contentSecurityPolicy.js
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@@ -241,44 +241,41 @@ ContentSecurityPolicy.prototype = {
   /**
    * Generates and sends a violation report to the specified report URIs.
    */
   sendReports:
   function(blockedUri, violatedDirective) {
     var uriString = this._policy.getReportURIs();
     var uris = uriString.split(/\s+/);
     if (uris.length > 0) {
-      // Generate report to send composed of:
-      // <csp-report>
-      //   <request>GET /index.html HTTP/1.1</request>
-      //   <request-headers>Host: example.com
-      //            User-Agent: ...
-      //            ...
-      //   </request-headers>
-      //   <blocked-uri>...</blocked-uri>
-      //   <violated-directive>...</violated-directive>
-      // </csp-report>
-      //   
+      // Generate report to send composed of
+      // {
+      //   csp-report: {
+      //     request: "GET /index.html HTTP/1.1",
+      //     request-headers: "Host: example.com
+      //                       User-Agent: ...
+      //                       ...",
+      //     blocked-uri: "...",
+      //     violated-directive: "..."
+      //   }
+      // }
       var strHeaders = "";
       for (let i in this._requestHeaders) {
         strHeaders += this._requestHeaders[i] + "\n";
       }
-
-      var report = "<csp-report>\n" +
-        " <request>" + this._request + "</request>\n" +
-        "   <request-headers><![CDATA[\n" +
-        strHeaders +
-        "   ]]></request-headers>\n" +
-        "   <blocked-uri>" + 
-        (blockedUri instanceof Ci.nsIURI ? blockedUri.asciiSpec : blockedUri) + 
-        "</blocked-uri>\n" +
-        "   <violated-directive>" + violatedDirective + "</violated-directive>\n" +
-        "</csp-report>\n";
-
-      CSPdebug("Constructed violation report:\n" + report);
+      var report = {
+        'csp-report': {
+          'request': this._request,
+          'request-headers': strHeaders,
+          'blocked-uri': (blockedUri instanceof Ci.nsIURI ?
+                          blockedUri.asciiSpec : blockedUri),
+          'violated-directive': violatedDirective
+        }
+      }
+      CSPdebug("Constructed violation report:\n" + JSON.stringify(report));
 
       // For each URI in the report list, send out a report.
       for (let i in uris) {
         if (uris[i] === "")
           continue;
 
         var failure = function(aEvt) {  
           if (req.readyState == 4 && req.status != 200) {
@@ -296,17 +293,17 @@ ContentSecurityPolicy.prototype = {
           //req.channel.loadFlags |= Ci.nsIRequest.LOAD_BYPASS_CACHE;
  
           // make request anonymous
           // This prevents sending cookies with the request,
           // in case the policy URI is injected, it can't be
           // abused for CSRF.
           req.channel.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
 
-          req.send(report);
+          req.send(JSON.stringify(report));
           CSPdebug("Sent violation report to " + uris[i]);
         } catch(e) {
           // it's possible that the URI was invalid, just log a
           // warning and skip over that.
           CSPWarning("Tried to send report to invalid URI: \"" + uris[i] + "\"");
         }
       }
     }