public void Setup()
{
_env = new Dictionary<string, object>();
_env[RequestHeaderKey] = new Dictionary<string, string[]>(StringComparer.OrdinalIgnoreCase); //Per OWIN 1.0 spec.
_env[ResponseHeaderKey] = new Dictionary<string, string[]>(StringComparer.OrdinalIgnoreCase); //Per OWIN 1.0 spec.
_owinEnvironment = new OwinEnvironment(_env);
}
internal override void PreInvokeNext(OwinEnvironment owinEnvironment)
{
owinEnvironment.NWebsecContext.XXssProtection = _config;
if (_headerResult.Action == HeaderResult.ResponseAction.Set)
{
owinEnvironment.ResponseHeaders.SetHeader(_headerResult.Name, _headerResult.Value);
}
}
internal override void PreInvokeNext(OwinEnvironment owinEnvironment)
{
if (_config.HttpsOnly && !Https.Equals(owinEnvironment.RequestScheme, StringComparison.OrdinalIgnoreCase))
{
return;
}
if (_headerResult.Action == HeaderResult.ResponseAction.Set)
{
owinEnvironment.ResponseHeaders.SetHeader(_headerResult.Name, _headerResult.Value);
}
}
public async Task Invoke(IDictionary<string, object> environment)
{
var env = new OwinEnvironment(environment);
PreInvokeNext(env);
if (_next != null)
{
await _next(environment);
}
PostInvokeNext(env);
}
internal override void PostInvokeNext(OwinEnvironment environment)
{
var statusCode = environment.ResponseStatusCode;
if (!_redirectValidator.IsRedirectStatusCode(statusCode))
{
return;
}
var scheme = environment.RequestScheme;
var hostandport = environment.RequestHeaders.Host;
var requestUri = new Uri(scheme + "://" + hostandport);
_redirectValidator.ValidateRedirect(statusCode, environment.ResponseHeaders.Location, requestUri, _config);
}
internal override void PreInvokeNext(OwinEnvironment owinEnvironment)
{
if (_reportOnly)
{
owinEnvironment.NWebsecContext.CspReportOnly = _config;
}
else
{
owinEnvironment.NWebsecContext.Csp = _config;
}
if (_headerResult.Action == HeaderResult.ResponseAction.Set)
{
owinEnvironment.ResponseHeaders.SetHeader(_headerResult.Name, _headerResult.Value);
}
}
public async Task Invoke(IDictionary<string, object> environment)
{
var env = new OwinEnvironment(environment);
if (HandleUpgradeInsecureRequest(env))
{
return;
}
SetCspHeaders(env);
if (_next != null)
{
await _next(environment);
}
}
internal bool HandleUpgradeInsecureRequest(OwinEnvironment env)
{
const string https = "https";
//Already on https.
if (https.Equals(env.RequestScheme)) return false;
//CSP upgrade-insecure-requests is disabled
if (!_config.Enabled || !_config.UpgradeInsecureRequestsDirective.Enabled) return false;
if (!CspUpgradeHelper.UaSupportsUpgradeInsecureRequests(env)) return false;
var upgradeUri = new UriBuilder($"https://{env.RequestHeaders.Host}")
{
Port = _config.UpgradeInsecureRequestsDirective.HttpsPort,
Path = env.RequestPathBase + env.RequestPath,
};
//Redirect
env.ResponseHeaders.SetHeader("Vary", "Upgrade-Insecure-Requests");
env.ResponseHeaders.Location = upgradeUri.Uri.AbsoluteUri;
env.ResponseStatusCode = 307;
return true;
}
internal virtual void PostInvokeNext(OwinEnvironment environment)
{
}
internal static bool UaSupportsUpgradeInsecureRequests(OwinEnvironment env)
{
var upgradeHeader = env.RequestHeaders.GetHeaderValue("Upgrade-Insecure-Requests");
return upgradeHeader != null && upgradeHeader.Equals("1", StringComparison.Ordinal);
}
