$this->verifyPostBodyOk();
$report = $this->getReport();
- $flags = $this->getFlags( $report );
+ $flags = $this->getFlags( $report, $userAgent );
$warningText = $this->generateLogLine( $flags, $report );
$this->logReport( $flags, $warningText, [
* Get extra notes about the report.
*
* @param array $report The CSP report
+ * @param string $userAgent
* @return array
*/
- private function getFlags( $report ) {
+ private function getFlags( $report, $userAgent ) {
$reportOnly = $this->getParameter( 'reportonly' );
$source = $this->getParameter( 'source' );
$falsePositives = $this->getConfig()->get( 'CSPFalsePositiveUrls' );
}
if (
- ( isset( $report['blocked-uri'] ) &&
- isset( $falsePositives[$report['blocked-uri']] ) )
- || ( isset( $report['source-file'] ) &&
- isset( $falsePositives[$report['source-file']] ) )
+ (
+ ContentSecurityPolicy::falsePositiveBrowser( $userAgent ) &&
+ $report['blocked-uri'] === "self"
+ ) ||
+ (
+ isset( $report['blocked-uri'] ) &&
+ isset( $falsePositives[$report['blocked-uri']] )
+ ) ||
+ (
+ isset( $report['source-file'] ) &&
+ isset( $falsePositives[$report['source-file']] )
+ )
) {
- // Report caused by Ad-Ware
+ // False positive due to:
+ // https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
+
$flags[] = 'false-positive';
}
return $flags;
/**
* Get the report from post body and turn into associative array.
*
- * @return Array
+ * @return array
*/
private function getReport() {
$postBody = $this->getRequest()->getRawInput();
private function generateLogLine( $flags, $report ) {
$flagText = '';
if ( $flags ) {
- $flagText = '[' . implode( $flags, ', ' ) . ']';
+ $flagText = '[' . implode( ', ', $flags ) . ']';
}
$blockedFile = isset( $report['blocked-uri'] ) ? $report['blocked-uri'] : 'n/a';
/**
* Mark as internal. This isn't meant to be used by normal api users
+ * @return bool
*/
public function isInternal() {
return true;
/**
* Even if you don't have read rights, we still want your report.
+ * @return bool
*/
public function isReadMode() {
return false;
* Doesn't touch db, so max lag should be rather irrelavent.
*
* Also, this makes sure that reports aren't lost during lag events.
+ * @return bool
*/
public function shouldCheckMaxLag() {
return false;