public void SetCspHeaders_NoOverride_DoesNothing(bool reportOnly) { var contextConfig = new CspConfiguration(); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns(contextConfig); _cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns((CspConfiguration)null); _overrideHelper.SetCspHeaders(_httpContext, reportOnly); _headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never); _headerResultHandler.Verify(h => h.HandleHeaderResult(_httpContext, It.IsAny <HeaderResult>()), Times.Never); }
/// <summary> /// Generates a CSP nonce HTML attribute. The 120-bit random nonce will be included in the CSP style-src directive. /// </summary> /// <param name="helper"></param> public static IHtmlString CspStyleNonce(this HtmlHelper helper) { var context = helper.ViewContext.HttpContext; var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper(); var headerOverrideHelper = new HeaderOverrideHelper(); var nonce = cspConfigurationOverrideHelper.GetCspStyleNonce(context); if (context.Items["NWebsecStyleNonceSet"] == null) { context.Items["NWebsecStyleNonceSet"] = "set"; headerOverrideHelper.SetCspHeaders(context, false); headerOverrideHelper.SetCspHeaders(context, true); } return(CreateNonceAttribute(helper, nonce)); }
/// <summary> /// Generates a CSP nonce HTML attribute. The 120-bit random nonce will be included in the CSP style-src directive. /// </summary> /// <param name="helper"></param> public static IHtmlString CspStyleNonce(this HtmlHelper helper) { var context = new HttpContextWrapper(helper.ViewContext.HttpContext); var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper(); var headerOverrideHelper = new HeaderOverrideHelper(new CspReportHelper()); var nonce = cspConfigurationOverrideHelper.GetCspStyleNonce(context); if (context.GetItem <string>("NWebsecStyleNonceSet") == null) { context.SetItem("NWebsecStyleNonceSet", "set"); headerOverrideHelper.SetCspHeaders(context, false); headerOverrideHelper.SetCspHeaders(context, true); } return(CreateNonceAttribute(helper, nonce)); }
public void SetCspHeaders_NoOverride_DoesNothing([Values(false, true)] bool reportOnly) { //Get ASP.NET stuff in order var request = new Mock <HttpRequestBase>(); request.SetupAllProperties(); Mock.Get(_mockContext).Setup(c => c.Request).Returns(request.Object); var contextConfig = new CspConfiguration(); _contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig); _cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <HttpContextBase>(), reportOnly)).Returns((CspConfiguration)null); _overrideHelper.SetCspHeaders(_mockContext, reportOnly); _headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never); _headerResultHandler.Verify(h => h.HandleHeaderResult(It.IsAny <HttpResponseBase>(), It.IsAny <HeaderResult>()), Times.Never); }
/// <summary> /// Generates a media type attribute suitable for an <object> or <embed> tag. The media type will be included in the CSP plugin-types directive. /// </summary> /// <param name="helper"></param> /// <param name="mediaType">The media type.</param> public static IHtmlString CspMediaType(this HtmlHelper helper, string mediaType) { new Rfc2045MediaTypeValidator().Validate(mediaType); var context = helper.ViewContext.HttpContext; var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper(); var headerOverrideHelper = new HeaderOverrideHelper(); var configOverride = new CspPluginTypesOverride() { Enabled = true, InheritMediaTypes = true, MediaTypes = new[] { mediaType } }; cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, false); cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, true); headerOverrideHelper.SetCspHeaders(context, false); headerOverrideHelper.SetCspHeaders(context, true); var attribute = string.Format("type=\"{0}\"", helper.AttributeEncode(mediaType)); return(new HtmlString(attribute)); }
/// <summary> /// Generates a media type attribute suitable for an <object> or <embed> tag. The media type will be included in the CSP plugin-types directive. /// </summary> /// <param name="helper"></param> /// <param name="mediaType">The media type.</param> public static HtmlString CspMediaType(this IHtmlHelper <dynamic> helper, string mediaType) { new Rfc2045MediaTypeValidator().Validate(mediaType); var context = helper.ViewContext.HttpContext; var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper(); var headerOverrideHelper = new HeaderOverrideHelper(); var configOverride = new CspPluginTypesOverride() { Enabled = true, InheritMediaTypes = true, MediaTypes = new[] { mediaType } }; cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, false); cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, true); headerOverrideHelper.SetCspHeaders(context, false); headerOverrideHelper.SetCspHeaders(context, true); //TODO have a look at the encoder. var attribute = $"type=\"{helper.Encode(mediaType)}\""; return(new HtmlString(attribute)); }
public sealed override void SetHttpHeadersOnActionExecuted(ActionExecutedContext filterContext) { _headerOverrideHelper.SetCspHeaders(filterContext.HttpContext, ReportOnly); }