Expand my Community achievements bar.

SOLVED

Implement CSP report-uri at AEM

Avatar

Level 2

Hello everyone.

 

We have been requested to use a new CSP directive in the project, the directive is CSP: report-uri or CSP:report:to.

 

The problem is that these directives send an http-post request against a uri, which would be from the project itself in AEM.

 

Reviewing the AEM documentation, we have seen that you can only make a POST request, when the user is logged in and has a CSRF-token, and it has to be sent in the POST request so it does not return http-error 403.

 

Do you have any idea how we could implement it?

 

Thank you very much.

Best regards

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 



Esteban Bustamante

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 



Esteban Bustamante