public static void AddScriptCspHeaders(this HttpResponse response, CspOptions options, string hash)
{
var csp1part = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty;
var cspHeader = $"default-src 'none'; script-src {csp1part}'{hash}'";
AddCspHeaders(response.Headers, options, cspHeader);
}
private static void AddCspHeaders(IHeaderDictionary headers, CspOptions options, string cspHeader)
{
if (!headers.ContainsKey("Content-Security-Policy"))
{
headers.Add("Content-Security-Policy", cspHeader);
}
if (options.AddDeprecatedHeader && !headers.ContainsKey("X-Content-Security-Policy"))
{
headers.Add("X-Content-Security-Policy", cspHeader);
}
}
public static void AddStyleCspHeaders(this HttpResponse response, CspOptions options, string hash, string frameSources)
{
var csp1part = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty;
var cspHeader = $"default-src 'none'; style-src {csp1part}'{hash}'";
if (!string.IsNullOrEmpty(frameSources))
{
cspHeader += $"; frame-src {frameSources}";
}
AddCspHeaders(response.Headers, options, cspHeader);
}
