franzo franzo - 11 months ago 57
ASP.NET (C#) Question

Accessing Content Security Policy violation reports posted to ASP.Net

For example if you have a CSP like

default-src 'self'; report-uri /CspViolationReport

and if
is handled by ASP.Net, how do you access the CSP violation report that is posted?

We expect to find some JSON posted, e.g.

When you inspect
, there are no keys, and there is no evidence of it in
, but
is "POST".

Intercepting the POST with Fiddler, you can see that the JSON is certainly being posted, but .Net doesn't seem to let you see it.

Answer Source

Here's a way, inspired by, thanks!

void ProcessCspValidationReport() {
    Request.InputStream.Position = 0;
    using (StreamReader inputStream = new StreamReader(Request.InputStream))
        string s = inputStream.ReadToEnd();
        if (!string.IsNullOrWhiteSpace(s))
            CspPost cspPost = JsonConvert.DeserializeObject<CspPost>(s);
            //now you can access properties of cspPost.CspReport

class CspPost
    public CspReport CspReport { get; set; }

class CspReport
    public string DocumentUri { get; set; }

    public string Referrer { get; set; }

    public string EffectiveDirective { get; set; }

    public string ViolatedDirective { get; set; }

    public string OriginalPolicy { get; set; }

    public string BlockedUri { get; set; }

    public string SourceFile { get; set; }

    public int LineNumber { get; set; }

    public int ColumnNumber { get; set; }

    public string StatusCode { get; set; }