Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.
Register Now
SOLVED

Implement CSP report-uri at AEM

Avatar

Level 1
Level 1
7/19/24 4:00:27 AM

Hello everyone.

 

We have been requested to use a new CSP directive in the project, the directive is CSP: report-uri or CSP:report:to.

 

The problem is that these directives send an http-post request against a uri, which would be from the project itself in AEM.

 

Reviewing the AEM documentation, we have seen that you can only make a POST request, when the user is logged in and has a CSRF-token, and it has to be sent in the POST request so it does not return http-error 403.

 

Do you have any idea how we could implement it?

 

Thank you very much.

Best regards

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager as a Cloud Service

Views

90

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/24 6:56:01 AM

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 


Esteban Bustamante

View solution in original post

Views

64

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/24 6:56:01 AM

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 


Esteban Bustamante

Views

65

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEM Personalization By Creating an Offer Vs Adobe Target Solved

Views

120

Likes

0

Replies

5
Can we persist GraphQL query in AEM passed to backend external server. (Non content Fragment Queries)?

Views

36

Likes

0

Replies

1
AEM integration with Azure isn't working for group

Views

43

Likes

0

Replies

1
Migrating users and groups from AEM MS instance to AEMaaCS

Views

105

Likes

0

Replies

2
AEM Setup on MAC OS

Views

129

Likes

0

Replies

4