public void SetCspHeaders_NoOverride_DoesNothing(bool reportOnly)
{
var contextConfig = new CspConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns(contextConfig);
_cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <IHttpContextWrapper>(), reportOnly)).Returns((CspConfiguration)null);
_overrideHelper.SetCspHeaders(_httpContext, reportOnly);
_headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never);
_headerResultHandler.Verify(h => h.HandleHeaderResult(_httpContext, It.IsAny <HeaderResult>()), Times.Never);
}
/// <summary>
/// Generates a CSP nonce HTML attribute. The 120-bit random nonce will be included in the CSP style-src directive.
/// </summary>
/// <param name="helper"></param>
public static IHtmlString CspStyleNonce(this HtmlHelper helper)
{
var context = helper.ViewContext.HttpContext;
var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper();
var headerOverrideHelper = new HeaderOverrideHelper();
var nonce = cspConfigurationOverrideHelper.GetCspStyleNonce(context);
if (context.Items["NWebsecStyleNonceSet"] == null)
{
context.Items["NWebsecStyleNonceSet"] = "set";
headerOverrideHelper.SetCspHeaders(context, false);
headerOverrideHelper.SetCspHeaders(context, true);
}
return(CreateNonceAttribute(helper, nonce));
}
/// <summary>
/// Generates a CSP nonce HTML attribute. The 120-bit random nonce will be included in the CSP style-src directive.
/// </summary>
/// <param name="helper"></param>
public static IHtmlString CspStyleNonce(this HtmlHelper helper)
{
var context = new HttpContextWrapper(helper.ViewContext.HttpContext);
var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper();
var headerOverrideHelper = new HeaderOverrideHelper(new CspReportHelper());
var nonce = cspConfigurationOverrideHelper.GetCspStyleNonce(context);
if (context.GetItem <string>("NWebsecStyleNonceSet") == null)
{
context.SetItem("NWebsecStyleNonceSet", "set");
headerOverrideHelper.SetCspHeaders(context, false);
headerOverrideHelper.SetCspHeaders(context, true);
}
return(CreateNonceAttribute(helper, nonce));
}
public void SetCspHeaders_NoOverride_DoesNothing([Values(false, true)] bool reportOnly)
{
//Get ASP.NET stuff in order
var request = new Mock <HttpRequestBase>();
request.SetupAllProperties();
Mock.Get(_mockContext).Setup(c => c.Request).Returns(request.Object);
var contextConfig = new CspConfiguration();
_contextHelper.Setup(h => h.GetCspConfiguration(It.IsAny <HttpContextBase>(), reportOnly)).Returns(contextConfig);
_cspConfigurationOverrideHelper.Setup(h => h.GetCspConfigWithOverrides(It.IsAny <HttpContextBase>(), reportOnly)).Returns((CspConfiguration)null);
_overrideHelper.SetCspHeaders(_mockContext, reportOnly);
_headerGenerator.Verify(g => g.CreateCspResult(It.IsAny <ICspConfiguration>(), reportOnly, It.IsAny <string>(), It.IsAny <ICspConfiguration>()), Times.Never);
_headerResultHandler.Verify(h => h.HandleHeaderResult(It.IsAny <HttpResponseBase>(), It.IsAny <HeaderResult>()), Times.Never);
}
/// <summary>
/// Generates a media type attribute suitable for an <object> or <embed> tag. The media type will be included in the CSP plugin-types directive.
/// </summary>
/// <param name="helper"></param>
/// <param name="mediaType">The media type.</param>
public static IHtmlString CspMediaType(this HtmlHelper helper, string mediaType)
{
new Rfc2045MediaTypeValidator().Validate(mediaType);
var context = helper.ViewContext.HttpContext;
var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper();
var headerOverrideHelper = new HeaderOverrideHelper();
var configOverride = new CspPluginTypesOverride()
{
Enabled = true, InheritMediaTypes = true, MediaTypes = new[] { mediaType }
};
cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, false);
cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, true);
headerOverrideHelper.SetCspHeaders(context, false);
headerOverrideHelper.SetCspHeaders(context, true);
var attribute = string.Format("type=\"{0}\"", helper.AttributeEncode(mediaType));
return(new HtmlString(attribute));
}
/// <summary>
/// Generates a media type attribute suitable for an <object> or <embed> tag. The media type will be included in the CSP plugin-types directive.
/// </summary>
/// <param name="helper"></param>
/// <param name="mediaType">The media type.</param>
public static HtmlString CspMediaType(this IHtmlHelper <dynamic> helper, string mediaType)
{
new Rfc2045MediaTypeValidator().Validate(mediaType);
var context = helper.ViewContext.HttpContext;
var cspConfigurationOverrideHelper = new CspConfigurationOverrideHelper();
var headerOverrideHelper = new HeaderOverrideHelper();
var configOverride = new CspPluginTypesOverride()
{
Enabled = true, InheritMediaTypes = true, MediaTypes = new[] { mediaType }
};
cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, false);
cspConfigurationOverrideHelper.SetCspPluginTypesOverride(context, configOverride, true);
headerOverrideHelper.SetCspHeaders(context, false);
headerOverrideHelper.SetCspHeaders(context, true);
//TODO have a look at the encoder.
var attribute = $"type=\"{helper.Encode(mediaType)}\"";
return(new HtmlString(attribute));
}
public sealed override void SetHttpHeadersOnActionExecuted(ActionExecutedContext filterContext)
{
_headerOverrideHelper.SetCspHeaders(filterContext.HttpContext, ReportOnly);
}
