Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Implement CSP report-uri at AEM

Avatar

Level 2
Level 2
7/19/24 4:00:27 AM

Hello everyone.

 

We have been requested to use a new CSP directive in the project, the directive is CSP: report-uri or CSP:report:to.

 

The problem is that these directives send an http-post request against a uri, which would be from the project itself in AEM.

 

Reviewing the AEM documentation, we have seen that you can only make a POST request, when the user is logged in and has a CSRF-token, and it has to be sent in the POST request so it does not return http-error 403.

 

Do you have any idea how we could implement it?

 

Thank you very much.

Best regards

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager as a Cloud Service

Views

250

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/24 6:56:01 AM

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 


Esteban Bustamante

View solution in original post

Views

224

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/24 6:56:01 AM

Hi, 

You need to implement a custom servlet that receives and processes the data sent from the CSP. This servlet should be set as the 'service' attribute that the CSP expects. It's important to note that the CSP policy should be utilized in a Publish instance where CSRF token issues are not present. For the author instance, you have the option to disable the CSP. Alternatively, if it's necessary to make it work in your author instance, you can configure the Adobe Granite CSRF Filter to exclude your servlet path, as follows:

EstebanBustamante_0-1721397218261.png

Before the config:

EstebanBustamante_2-1721397355702.png

 

After the config (no more 403 Error):

EstebanBustamante_1-1721397298048.png

My dummy CSP to make sure it fails:

"default-src 'self'; script-src https://apis.example.com; style-src 'self' ; report-uri /bin/random/api;" 

 

 

Hope this helps

 

 


Esteban Bustamante

Views

225

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Pipeline-free URL Redirects is not working in AEM Cloud Dispatcher Solved

Views

149

Likes

0

Replies

5
Reg: Video Smartcrops in AEM 6.5

Views

10

Likes

0

Replies

1
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

90

Likes

0

Replies

2
AEM session management and user access

Views

91

Likes

0

Replies

3
AEM Clud migration: Strategy to reduce ACS AEM Commons dependency

Views

61

Likes

0

Replies

1