Bug 548193 - Make CSP send reports as JSON, r=sicking

2010-05-27 09:07:36 -07:00 · 2010-05-27 09:07:36 -07:00 · 3afed3d802
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@ -246,34 +246,31 @@ ContentSecurityPolicy.prototype = {
    var uriString = this._policy.getReportURIs();
    var uris = uriString.split(/\s+/);
    if (uris.length > 0) {
-      // Generate report to send composed of:
-      // <csp-report>
-      //   <request>GET /index.html HTTP/1.1</request>
-      //   <request-headers>Host: example.com
-      //            User-Agent: ...
-      //            ...
-      //   </request-headers>
-      //   <blocked-uri>...</blocked-uri>
-      //   <violated-directive>...</violated-directive>
-      // </csp-report>
-      //   
+      // Generate report to send composed of
+      // {
+      //   csp-report: {
+      //     request: "GET /index.html HTTP/1.1",
+      //     request-headers: "Host: example.com
+      //                       User-Agent: ...
+      //                       ...",
+      //     blocked-uri: "...",
+      //     violated-directive: "..."
+      //   }
+      // }
      var strHeaders = "";
      for (let i in this._requestHeaders) {
        strHeaders += this._requestHeaders[i] + "\n";
      }
-
-      var report = "<csp-report>\n" +
-        " <request>" + this._request + "</request>\n" +
-        "   <request-headers><![CDATA[\n" +
-        strHeaders +
-        "   ]]></request-headers>\n" +
-        "   <blocked-uri>" + 
-        (blockedUri instanceof Ci.nsIURI ? blockedUri.asciiSpec : blockedUri) + 
-        "</blocked-uri>\n" +
-        "   <violated-directive>" + violatedDirective + "</violated-directive>\n" +
-        "</csp-report>\n";
-
-      CSPdebug("Constructed violation report:\n" + report);
+      var report = {
+        'csp-report': {
+          'request': this._request,
+          'request-headers': strHeaders,
+          'blocked-uri': (blockedUri instanceof Ci.nsIURI ?
+                          blockedUri.asciiSpec : blockedUri),
+          'violated-directive': violatedDirective
+        }
+      }
+      CSPdebug("Constructed violation report:\n" + JSON.stringify(report));

      // For each URI in the report list, send out a report.
      for (let i in uris) {
@ -301,7 +298,7 @@ ContentSecurityPolicy.prototype = {
          // abused for CSRF.
          req.channel.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;

-          req.send(report);
+          req.send(JSON.stringify(report));
          CSPdebug("Sent violation report to " + uris[i]);
        } catch(e) {
          // it's possible that the URI was invalid, just log a