public void SetBlockAllMixedContent_SetsBlockAllMixedContentToTrue()
{
var builder = new CspBuilder();
builder.SetBlockAllMixedContent();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.BlockAllMixedContent);
}
public void SetReportOnly_SetsReportOnlyToTrue()
{
var builder = new CspBuilder();
builder.SetReportOnly();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.ReportOnly);
}
public void SetUpgradeInsecureRequests_SetsUpgradeInsecureRequestsToTrue()
{
var builder = new CspBuilder();
builder.SetUpgradeInsecureRequests();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.UpgradeInsecureRequests);
}
public void ReportViolationsTo_SetsTheReportUri()
{
var builder = new CspBuilder();
builder.ReportViolationsTo("/somewhere");
CspOptions options = builder.BuildCspOptions();
Assert.Equal("/somewhere", options.ReportUri);
}
public void EnableSandbox_EnablesTheSandbox()
{
var builder = new CspBuilder();
builder.EnableSandbox();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.EnableSandbox);
}
public void IncludeXHeader_SetsIncludeXHeaderToTrue()
{
var builder = new CspBuilder();
builder.IncludeXHeader();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.IncludeXHeader);
}
public void WithPrefetch_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.AllowPrefetch.From("https://www.google.com");
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("prefetch-src https://www.google.com", headerValue);
}
/// <summary>
/// Adds a Content Security Policy header
/// to the response.
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/></param>
/// <param name="builderAction">Configuration action for the header.</param>
/// <returns>The <see cref="IApplicationBuilder"/></returns>
public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action <CspBuilder> builderAction)
{
var builder = new CspBuilder();
builderAction(builder);
CspOptions options = builder.BuildCspOptions();
return(app.UseMiddleware <CspMiddleware>(new OptionsWrapper <CspOptions>(options)));
}
public void RequireSriFor_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.RequireSri.ForScripts();
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("require-sri-for script", headerValue);
}
public void WithFramesAndWorkers_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.AllowFrames.From("https://www.google.com");
builder.AllowWorkers.FromSelf().OnlyOverHttps();
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("frame-src https://www.google.com;worker-src 'self' https:", headerValue);
}
public async Task OnSendingHeader_ShouldNotSendTest()
{
var builder = new CspBuilder();
builder.OnSendingHeader = context =>
{
context.ShouldNotSend = true;
return(Task.CompletedTask);
};
var sendingHeaderContext = new CspSendingHeaderContext(null);
await builder.BuildCspOptions().OnSendingHeader(sendingHeaderContext);
Assert.True(sendingHeaderContext.ShouldNotSend);
}
public void FromSelf_WithNonce_HasValue()
{
var nonceService = new CspNonceService(32);
var nonce = nonceService.GetNonce();
var builder = new CspBuilder();
builder.AllowScripts.FromSelf().AddNonce();
var headerValue = builder.BuildCspOptions().ToString(nonceService).headerValue;
Assert.DoesNotContain("+", nonce);
Assert.DoesNotContain("/", nonce);
Assert.DoesNotContain("=", nonce);
Assert.Equal($"script-src 'self' 'nonce-{nonce}'", headerValue);
}