feat: support legacy csp reports

Author: sgtoj

README.md

@@ -6,9 +6,10 @@ Simple, self-hosted Go service for browser Reporting API ingestion.
 
 ### What
 
-`browser-reporting-api` is an HTTP service that receives browser Reporting API
-payloads (`application/reports+json`), validates each report entry, and streams
-accepted entries to stdout as NDJSON (one JSON object per line).
+`browser-reporting-api` is an HTTP service that receives browser reporting
+payloads (`application/reports+json` and legacy `application/csp-report` from
+`report-uri`), validates each report entry, and streams accepted entries to
+stdout as NDJSON (one JSON object per line).
 
 The payload format and reporting behavior align with the browser Reporting API
 documented by

internal/parser/json_parser.go

@@ -1,6 +1,7 @@
 package parser
 
 import (
+	"bytes"
 	"encoding/json"
 	"io"
 
@@ -18,11 +19,22 @@ func NewJSONBatchParser() *JSONBatchParser {
 
 func (p *JSONBatchParser) ParseBatch(r io.Reader) ([]domain.IncomingReport, error) {
 	decoder := json.NewDecoder(r)
-	var reports []domain.IncomingReport
-	if err := decoder.Decode(&reports); err != nil {
+
+	var payload json.RawMessage
+	if err := decoder.Decode(&payload); err != nil {
 		return nil, errors.Wrap(err, "decode reports payload")
 	}
 
+	payload = bytes.TrimSpace(payload)
+	if len(payload) == 0 {
+		return nil, errors.New("reports payload must include at least one report")
+	}
+
+	reports, err := parseReportsPayload(payload)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(reports) == 0 {
 		return nil, errors.New("reports payload must include at least one report")
 	}
@@ -34,3 +46,50 @@ func (p *JSONBatchParser) ParseBatch(r io.Reader) ([]domain.IncomingReport, erro
 
 	return reports, nil
 }
+
+func parseReportsPayload(payload json.RawMessage) ([]domain.IncomingReport, error) {
+	if payload[0] == '[' {
+		var reports []domain.IncomingReport
+		if err := json.Unmarshal(payload, &reports); err != nil {
+			return nil, errors.Wrap(err, "decode reports payload")
+		}
+		return reports, nil
+	}
+
+	if payload[0] == '{' {
+		return parseLegacyCSPReportPayload(payload)
+	}
+
+	return nil, errors.New("reports payload must be a JSON array or object")
+}
+
+func parseLegacyCSPReportPayload(payload json.RawMessage) ([]domain.IncomingReport, error) {
+	var legacy struct {
+		CSPReport json.RawMessage `json:"csp-report"`
+	}
+
+	if err := json.Unmarshal(payload, &legacy); err != nil {
+		return nil, errors.Wrap(err, "decode reports payload")
+	}
+
+	trimmed := bytes.TrimSpace(legacy.CSPReport)
+	if len(trimmed) == 0 {
+		return nil, errors.New("legacy csp payload must include csp-report")
+	}
+	if trimmed[0] != '{' {
+		return nil, errors.New("legacy csp payload must include csp-report object")
+	}
+
+	var body struct {
+		DocumentURI string `json:"document-uri"`
+	}
+	if err := json.Unmarshal(trimmed, &body); err != nil {
+		return nil, errors.Wrap(err, "decode legacy csp-report body")
+	}
+
+	return []domain.IncomingReport{{
+		Type: "csp-violation",
+		URL:  body.DocumentURI,
+		Body: trimmed,
+	}}, nil
+}

internal/parser/json_parser_test.go

@@ -29,3 +29,29 @@ func TestParseBatchRejectsTrailingTopLevelValue(t *testing.T) {
 		t.Fatal("expected error")
 	}
 }
+
+func TestParseBatchAcceptsLegacyCSPReportURIFormat(t *testing.T) {
+	reports, err := NewJSONBatchParser().ParseBatch(strings.NewReader(`{"csp-report":{"document-uri":"https://site.example/page","violated-directive":"frame-src"}}`))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(reports) != 1 {
+		t.Fatalf("expected 1 report, got %d", len(reports))
+	}
+
+	if reports[0].Type != "csp-violation" {
+		t.Fatalf("expected csp-violation type, got %q", reports[0].Type)
+	}
+
+	if reports[0].URL != "https://site.example/page" {
+		t.Fatalf("unexpected url %q", reports[0].URL)
+	}
+}
+
+func TestParseBatchRejectsLegacyCSPReportWithoutBody(t *testing.T) {
+	_, err := NewJSONBatchParser().ParseBatch(strings.NewReader(`{"type":"csp-violation"}`))
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}

internal/reporting/handler.go

@@ -88,16 +88,16 @@ func (h *Handler) setCORSHeaders(w http.ResponseWriter, r *http.Request) bool {
 
 func ensureReportsContentType(value string) error {
 	if strings.TrimSpace(value) == "" {
-		return errors.New("content-type must be application/reports+json")
+		return errors.New("content-type must be application/reports+json or application/csp-report")
 	}
 
 	mediaType, _, err := mime.ParseMediaType(value)
 	if err != nil {
 		return errors.New("invalid content-type")
 	}
 
-	if mediaType != "application/reports+json" {
-		return errors.New("content-type must be application/reports+json")
+	if mediaType != "application/reports+json" && mediaType != "application/csp-report" {
+		return errors.New("content-type must be application/reports+json or application/csp-report")
 	}
 
 	return nil

internal/reporting/handler_test.go

@@ -83,6 +83,30 @@ func TestIngestRejectsDisallowedOrigin(t *testing.T) {
 	}
 }
 
+func TestIngestAcceptsLegacyCSPReportURIFormat(t *testing.T) {
+	h := newTestHandler(t, []string{"*"})
+
+	body := `{"csp-report":{"document-uri":"https://site.example/page","violated-directive":"frame-src"}}`
+	req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/csp-report")
+	rr := httptest.NewRecorder()
+
+	h.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected %d, got %d", http.StatusOK, rr.Code)
+	}
+
+	var response map[string]int
+	if err := json.Unmarshal(rr.Body.Bytes(), &response); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+
+	if response["received"] != 1 || response["accepted"] != 1 || response["rejected"] != 0 {
+		t.Fatalf("unexpected response: %+v", response)
+	}
+}
+
 func TestPreflightAllowsWildcardPatternOrigin(t *testing.T) {
 	h := newTestHandler(t, []string{"https://*.example.com"})