Dotclear

source: admin/csp_report.php @ 3451:bd71f12d4e47

Revision 3451:bd71f12d4e47, 2.0 KB checked in by franck <carnet.franck.paul@…>, 9 years ago (diff)

Move admin CSP admin/csp_report.txt to DC_VAR/csp/csp_report.json
Line 
1<?php
2// From: https://github.com/nico3333fr/CSP-useful
3//
4// Note: this script requires PHP ≥ 5.4.
5// Inspired from https://mathiasbynens.be/notes/csp-reports
6
7// Dareboost wants it? Not a problem.
8header('X-Content-Type-Options: "nosniff"');
9
10require dirname(__FILE__).'/../inc/admin/prepend.php';
11
12// Specify log file
13define('LOGFILE',path::real(DC_VAR).'/csp/csp_report.json');
14
15// Get the raw POST data
16$data = file_get_contents('php://input');
17
18// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
19// empty string, i.e. if it could be a CSP violation report.
20if ($data = json_decode($data, true)) {
21
22     // get source-file and blocked-URI to perform some tests
23     $source_file   = $data['csp-report']['source-file'];
24     $blocked_uri   = $data['csp-report']['blocked-uri'];
25
26     if (
27
28     // avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
29     // bug here https://code.google.com/p/chromium/issues/detail?id=524356
30     strpos($source_file, 'chrome-extension://') === false
31
32     // avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
33     && strpos($source_file, 'safari-extension://') === false
34          && strpos($blocked_uri, 'safari-extension://') === false
35
36     // search engine extensions ?
37     && strpos($source_file, 'se-extension://') === false
38
39     // added by browsers in webviews
40     && strpos($blocked_uri, 'webviewprogressproxy://') === false
41
42          // Google Search App see for details https://github.com/nico3333fr/CSP-useful/commit/ecc8f9b0b379ae643bc754d2db33c8b47e185fd1
43          && strpos($blocked_uri, 'gsa://onpageload') === false
44
45     ) {
46               // Prettify the JSON-formatted data
47               $data = json_encode(
48                         $data,
49                         JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES
50                         );
51
52               try {
53                    // Check report dir (create it if necessary)
54                    files::makeDir(dirname(LOGFILE),true);
55
56                    if (!($fp = @fopen(LOGFILE,'a'))) {
57                         return;
58                    }
59                    fprintf($fp,'%s',$data);
60               }  catch (Exception $e) {
61                    return;
62               }
63          }
64}
Note: See TracBrowser for help on using the repository browser.

Sites map