Getting Name of Blocked Script?

Question

Getting Name of Blocked Script?

VikR1000 opened this issue 3 months ago · comments

Helmet used to report via console.log(), the name of any script that was blocked. It doesn't seem to do that currently. Am I missing something?

Note: I'm on version Helmet v6.2.0 and will update to 7 as soon as possible.

Vik Rubenfeld · Answer 1 · Wed Apr 10 2024 22:24:24 GMT+0800 (China Standard Time)

Update: I added reportUri to my directives:

crossOriginEmbedderPolicy: false,
contentSecurityPolicy: {
    blockAllMixedContent: true,
    directives: {
        reportUri: '/report-violation',
        [.....]

On my server I have:

WebApp.connectHandlers.use('/report-violation', async (req, res, next) => {
    debugger;
    const report = req.body;
    console.log('cp #2. Helmet CSP Violation:', report);
    next();
});

That may look a little funky but that's how you access Express in Meteor, which is my build tool. :)

Anyway, so the '/report-violation' endpoint gets called. req comes in json-parsed into fields with keys and values. But there's no req.body field or req.rawbody field.

Where should I look for the name of the blocked function?

Vik Rubenfeld · Answer 2 · Thu Apr 11 2024 05:46:59 GMT+0800 (China Standard Time)

This seems to be working:

WebApp.connectHandlers.use('/report-violation', (req, res, next) => {
    // Check if the request method is POST
    if (req.method === 'POST') {
        let report = '';
        req.on('data', chunk => {
            report += chunk;
        });
        req.on('end', () => {
            try {
                // Attempt to parse the report as JSON
                const parsedReport = JSON.parse(report);
                try{
                    let violatedDirective = parsedReport["csp-report"]["violated-directive"]
                    let effectiveDirective = parsedReport["csp-report"]["effective-directive"]
                    let blockedUri = parsedReport["csp-report"]["blocked-uri"]
                    console.log('Helmet CSP Violation: ', blockedUri);
                    console.log('violated-directive: ', violatedDirective);
                    console.log('effective-directive: ', effectiveDirective);
                    console.log('-----');
                }
                catch (Exception){
                    console.log('No blockedUri was found.')
                }

                // Send a response indicating the method is allowed
                res.writeHead(200, { 'Content-Type': 'text/plain' });
                res.end('POST method is allowed for this route.');
            } catch (error) {
                // Handle the case where the report is not valid JSON
                console.error('Error parsing report as JSON:', error);
                res.writeHead(400, { 'Content-Type': 'text/plain' });
                res.end('Bad Request: Invalid JSON');
            }
        });
    } else {
        // If not POST, respond with a 405 status code and include the Allow header
        res.writeHead(405, { 'Content-Type': 'text/plain', 'Allow': 'POST' });
        res.end('Method Not Allowed');
    }
    // No need to call next() here since we're sending a response
});

Note: Meteor's WebApp.connectHanders has some differences from express. This code would need revisions to work with express.

Evan Hahn · Answer 3 · Thu Apr 11 2024 08:20:07 GMT+0800 (China Standard Time)

Glad you solved your problem. Feel free to open another issue if you have other questions.