[FIX] CSP Middleware: Export middleware, add report-uri

SAP · Jul 10, 2018 · 2091c0c · 2091c0c
1 parent 5bbed61
commit 2091c0c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/index.js b/index.js
@@ -2,6 +2,7 @@ const ui5Server = {
 	server: require("./lib/server"),
 	sslUtil: require("./lib/sslUtil"),
 	middleware: {
+		csp: require("./lib/middleware/csp"),
 		discovery: require("./lib/middleware/discovery"),
 		nonReadRequests: require("./lib/middleware/discovery"),
 		serveIndex: require("./lib/middleware/serveIndex"),

diff --git a/lib/middleware/csp.js b/lib/middleware/csp.js
@@ -7,15 +7,24 @@ const rPolicy = /([-_a-zA-Z0-9]+)(:report-only)?/i;
 
 function createMiddleware(sCspUrlParameterName, oConfig) {
 	const {
-		allowDynamicPolicySelection=false,
-		allowDynamicPolicyDefinition=false,
-		defaultPolicyIsReportOnly=false
+		allowDynamicPolicySelection = false,
+		allowDynamicPolicyDefinition = false,
+		defaultPolicyIsReportOnly = false
 	} = oConfig;
 
 	return function csp(req, res, next) {
 		let oPolicy;
 		let bReportOnly = defaultPolicyIsReportOnly;
 
+		if (req.method === "POST" &&
+			req.headers["content-type"] === "application/csp-report" &&
+			req.url.endsWith("/dummy.csplog")
+		) {
+			// In report-only mode there must be a report-uri defined
+			// For now just ignore the violation. It will be logged in the browser anyway.
+			return;
+		}
+
 		// If a policy with name 'default' is defined, it will even be send without a present URL parameter.
 		if (oConfig.definedPolicies["default"]) {
 			oPolicy = {
@@ -24,7 +33,6 @@ function createMiddleware(sCspUrlParameterName, oConfig) {
 			};
 		}
 
-		// Use random protocol, host and port to establish a valid URL for parsing query parameters
 		let oParsedUrl = url.parse(req.url);
 		let oQuery = querystring.parse(oParsedUrl.query);
 		let sCspUrlParameterValue = oQuery[sCspUrlParameterName];
@@ -54,7 +62,14 @@ function createMiddleware(sCspUrlParameterName, oConfig) {
 
 		if (oPolicy) {
 			let sHeader = bReportOnly ? HEADER_CONTENT_SECURITY_POLICY_REPORT_ONLY : HEADER_CONTENT_SECURITY_POLICY;
-			let sHeaderValue = oPolicy.policy;
+			let sHeaderValue;
+
+			if (bReportOnly) {
+				// Add dummy report-uri. This is mandatory for the report-only mode.
+				sHeaderValue = oPolicy.policy + " report-uri dummy.csplog;";
+			} else {
+				sHeaderValue = oPolicy.policy;
+			}
 
 			// Send response with CSP header
 			res.removeHeader(HEADER_CONTENT_SECURITY_POLICY);