Ejemplo n.º 1
0
        public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsTrue()
        {
            var builder = new CspBuilder();

            builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com");
            builder.AddWorkerSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com");
            builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com");
            builder.AddUpgradeInsecureRequests();
            builder.AddBlockAllMixedContent();

            // add nonce
            builder.AddScriptSrc().WithNonce();

            var result = builder.Build();

            result.HasPerRequestValues.Should().BeTrue();
        }
Ejemplo n.º 2
0
        public void Build_AddSrciptSrc_WhenAddsMultipleValue_ReturnsAllValues()
        {
            var builder = new CspBuilder();

            builder.AddScriptSrc()
            .Self()
            .Blob()
            .Data()
            .From("http://testUrl.com");

            var result = builder.Build();

            result.Should().Be("script-src 'self' blob: data: http://testUrl.com");
        }
Ejemplo n.º 3
0
        public void Build_AddSrciptSrc_WhenAddsInsecureValues_ReturnsAllValues()
        {
            var builder = new CspBuilder();

            builder.AddScriptSrc()
            .Self()
            .UnsafeEval()
            .UnsafeInline()
            .StrictDynamic()
            .ReportSample()
            .From("http://testUrl.com");

            var result = builder.Build();

            result.Should().Be("script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'report-sample' http://testUrl.com");
        }
Ejemplo n.º 4
0
        public void Build_AddSrciptSrc_WhenAddsNonce_HasPerRequestValuesReturnsTrue()
        {
            var builder = new CspBuilder();

            builder.AddScriptSrc()
            .Self()
            .UnsafeEval()
            .UnsafeInline()
            .StrictDynamic()
            .ReportSample()
            .WithNonce()
            .From("http://testUrl.com");

            var result = builder.Build();

            result.HasPerRequestValues.Should().BeTrue();
        }
Ejemplo n.º 5
0
        public void Builder_WhenUsingNonce_AddsNonceToCSP()
        {
            var builder = new CspBuilder();

            builder.AddScriptSrc().WithNonce();
            builder.AddStyleSrc().WithNonce();
            builder.AddCustomDirectiveBuilder("test-directive").WithNonce();

            var result = builder.Build();

            var httpContext = new DefaultHttpContext();
            var nonce       = "ABC123";

            httpContext.SetNonce(nonce);

            var csp = result.Builder(httpContext);

            csp.Should().Be($"script-src 'nonce-{nonce}'; style-src 'nonce-{nonce}'; test-directive 'nonce-{nonce}'");
        }
Ejemplo n.º 6
0
        public void Build_AddSrciptSrc_WhenDoesntAddNonce_BuilderThrowsInvalidOperation()
        {
            var builder = new CspBuilder();

            builder.AddScriptSrc()
            .Self()
            .UnsafeEval()
            .UnsafeInline()
            .StrictDynamic()
            .ReportSample()
            .From("http://testUrl.com");

            var result = builder.Build();

            result.Invoking(x =>
            {
                var val = x.Builder;
            })
            .ShouldThrow <InvalidOperationException>();
        }
Ejemplo n.º 7
0
        public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsFalse()
        {
            var builder = new CspBuilder();

            builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com");
            builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddScriptSrc().Self().UnsafeEval().UnsafeInline().StrictDynamic().ReportSample().From("http://testUrl.com");
            builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com");
            builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com");
            builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com");
            builder.AddUpgradeInsecureRequests();
            builder.AddBlockAllMixedContent();

            var result = builder.Build();

            result.HasPerRequestValues.Should().BeFalse();
        }