private static void PerfConfigToHeaderValue()
{
var config = new ContentSecurityPolicyConfiguration();
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.Sandbox.SetToEmptyValue();
config.ConnectSrc.AddScheme("https");
config.PluginTypes.AddMediaType("application/xml");
config.BaseUri.AddScheme("https");
config.BaseUri.AddHost("www.example.org");
PrepareTest(() => config.ToHeaderValue());
var sw = new Stopwatch();
sw.Start();
for (int i = 0; i < iterations; i++)
{
config.ToHeaderValue();
Trace.Write(i);
}
sw.Stop();
Console.WriteLine("PerfConfigToHeaderValue");
PrintTime(sw);
}
public void All_source_types_should_be_in_the_header_value()
{
var config = new ContentSecurityPolicyConfiguration();
config.BaseUri.AddKeyword(SourceListKeyword.Self);
config.ChildSrc.AddKeyword(SourceListKeyword.Self);
config.ConnectSrc.AddKeyword(SourceListKeyword.Self);
config.DefaultSrc.AddKeyword(SourceListKeyword.Self);
config.FontSrc.AddKeyword(SourceListKeyword.Self);
config.FormAction.AddKeyword(SourceListKeyword.Self);
config.FrameAncestors.SetToNone();
config.FrameSrc.AddKeyword(SourceListKeyword.Self);
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
config.MediaSrc.AddKeyword(SourceListKeyword.Self);
config.ObjectSrc.AddKeyword(SourceListKeyword.Self);
config.ScriptSrc.AddKeyword(SourceListKeyword.Self);
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.PluginTypes.AddMediaType("application/xml");
config.ReportUri.AddReportUri("https://www.example.com/report-uri");
config.Sandbox.AddToken("allow-scripts");
var expected = new List<string> {
"base-uri", "child-src", "connect-src", "default-src", "font-src", "form-action", "frame-ancestors", "frame-src",
"img-src", "media-src", "object-src", "plugin-types", "report-uri", "sandbox",
"script-src", "style-src"
};
var values = config.ToHeaderValue().Split(new[] {";"}, StringSplitOptions.None).SelectMany(i => i.Split(new[] {" "}, StringSplitOptions.None)).ToList();
values.Should().Contain(expected);
}
public void When_sandbox_value_is_set_to_empty_the_directive_should_be_created()
{
var config = new ContentSecurityPolicyConfiguration();
config.Sandbox.SetToEmptyValue();
config.ToHeaderValue().Split(new[] { ";" }, StringSplitOptions.None).Select(item => item.Trim()).Should().OnlyContain(item => item == "sandbox");
}
public void All_source_types_should_be_in_the_header_value()
{
var config = new ContentSecurityPolicyConfiguration();
config.BaseUri.AddKeyword(SourceListKeyword.Self);
config.ChildSrc.AddKeyword(SourceListKeyword.Self);
config.ConnectSrc.AddKeyword(SourceListKeyword.Self);
config.DefaultSrc.AddKeyword(SourceListKeyword.Self);
config.FontSrc.AddKeyword(SourceListKeyword.Self);
config.FormAction.AddKeyword(SourceListKeyword.Self);
config.FrameAncestors.SetToNone();
config.FrameSrc.AddKeyword(SourceListKeyword.Self);
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
config.MediaSrc.AddKeyword(SourceListKeyword.Self);
config.ObjectSrc.AddKeyword(SourceListKeyword.Self);
config.ScriptSrc.AddKeyword(SourceListKeyword.Self);
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.PluginTypes.AddMediaType("application/xml");
config.ReportUri.AddReportUri("https://www.example.com/report-uri");
config.Sandbox.AddToken("allow-scripts");
var expected = new List <string> {
"base-uri", "child-src", "connect-src", "default-src", "font-src", "form-action", "frame-ancestors", "frame-src",
"img-src", "media-src", "object-src", "plugin-types", "report-uri", "sandbox",
"script-src", "style-src"
};
var values = config.ToHeaderValue().Split(new[] { ";" }, StringSplitOptions.None).SelectMany(i => i.Split(new[] { " " }, StringSplitOptions.None)).ToList();
values.Should().Contain(expected);
}
public void When_set_scriptSrc_to_none_the_header_value_should_contain_the_directive_with_none()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.SetToNone();
config.ToHeaderValue().Should().Be("script-src 'none'");
}
public async Task When_adding_csp_middleware_a_response_should_serve_the_csp_header() {
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https:");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(config);
var response = await client.GetAsync("https://wwww.example.com");
response.Csp().Should().NotBeNullOrWhiteSpace();
}
public void Source_types_should_be_separated_by_a_semicolon()
{
var config = new ContentSecurityPolicyConfiguration();
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.ImgSrc.AddScheme("https");
config.MediaSrc.AddKeyword(SourceListKeyword.UnsafeInline);
config.BaseUri.AddScheme("https");
var split = config.ToHeaderValue().Split(new[] {";"}, StringSplitOptions.None);
split.Length.Should().Be(4);
}
public async Task When_adding_csp_middleware_a_response_should_serve_the_csp_header()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https:");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(config);
var response = await client.GetAsync("https://wwww.example.com");
response.Csp().Should().NotBeNullOrWhiteSpace();
}
public void When_set_two_sources_they_should_be_separated_by_a_semicolon()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var value = config.ToHeaderValue();
var split = value.Split(new[] {";"}, StringSplitOptions.None);
split.Length.Should().Be(2);
split.Should().Contain(item => item.Trim().Equals("script-src https:"));
split.Should().Contain(item => item.Trim().Equals("img-src 'self'"));
}
public void Source_types_should_be_separated_by_a_semicolon()
{
var config = new ContentSecurityPolicyConfiguration();
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.ImgSrc.AddScheme("https");
config.MediaSrc.AddKeyword(SourceListKeyword.UnsafeInline);
config.BaseUri.AddScheme("https");
var split = config.ToHeaderValue().Split(new[] { ";" }, StringSplitOptions.None);
split.Length.Should().Be(4);
}
public async Task When_adding_csp_middleware_the_response_should_contain_the_expected_csp_directives() {
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https:");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(config);
var response = await client.GetAsync("https://wwww.example.com");
var headerValue = response.Csp();
var values = headerValue.Split(new[] {";"}, StringSplitOptions.None).Select(i => i.Trim()).ToList();
values.Count.Should().Be(2);
values.Should().Contain(i => i.Equals("img-src 'self'"));
values.Should().Contain(i => i.Equals("script-src https:"));
}
public static HttpClient Create(ContentSecurityPolicyConfiguration configuration, Action<IAppBuilder> intercepter = null) {
return TestServer.Create(builder => {
intercepter?.Invoke(builder);
builder.UseOwin().ContentSecurityPolicy(configuration);
builder
.Use((context, next) => {
context.Response.StatusCode = 200;
context.Response.ReasonPhrase = "OK";
return Task.FromResult(0);
});
}).HttpClient;
}
public void When_set_two_sources_they_should_be_separated_by_a_semicolon()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var value = config.ToHeaderValue();
var split = value.Split(new[] { ";" }, StringSplitOptions.None);
split.Length.Should().Be(2);
split.Should().Contain(item => item.Trim().Equals("script-src https:"));
split.Should().Contain(item => item.Trim().Equals("img-src 'self'"));
}
public static HttpClient Create(ContentSecurityPolicyConfiguration configuration, Action <IAppBuilder> intercepter = null)
{
return(TestServer.Create(builder => {
intercepter?.Invoke(builder);
builder.UseOwin().ContentSecurityPolicy(configuration);
builder
.Use((context, next) => {
context.Response.StatusCode = 200;
context.Response.ReasonPhrase = "OK";
return Task.FromResult(0);
});
}).HttpClient);
}
public async Task When_adding_csp_middleware_and_another_middleware_has_already_added_a_csp_header_the_middlewar_should_not_add_the_header() {
var cfg = new ContentSecurityPolicyConfiguration();
cfg.ScriptSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(cfg,
builder => builder.Use(async (ctx,next) => {
ctx.Response.OnSendingHeaders(ctx2 => {
((IOwinResponse)ctx2).Headers.Add(HeaderConstants.ContentSecurityPolicy, new []{"Dummy"});
}, ctx.Response);
await next();
}));
var resp = await client.GetAsync("http://www.example.com");
var header = resp.Csp();
header.ShouldEqual("Dummy");
}
public async Task When_adding_csp_middleware_the_response_should_contain_the_expected_csp_directives()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.AddScheme("https:");
config.ImgSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(config);
var response = await client.GetAsync("https://wwww.example.com");
var headerValue = response.Csp();
var values = headerValue.Split(new[] { ";" }, StringSplitOptions.None).Select(i => i.Trim()).ToList();
values.Count.Should().Be(2);
values.Should().Contain(i => i.Equals("img-src 'self'"));
values.Should().Contain(i => i.Equals("script-src https:"));
}
private static void PerfAddHostToConfig()
{
var config = new ContentSecurityPolicyConfiguration();
var uriList = new List<string>();
for (int i = 0; i < iterations; i++) {
uriList.Add(string.Format("https://www.example{0}.org/abcd{0}/", i));
}
PrepareTest(() => config.ScriptSrc.AddHost("https://www.example.org/abcd/"));
var sw = Stopwatch.StartNew();
for (int i = 0; i < iterations; i++) {
config.ScriptSrc.AddHost(uriList[i]);
}
sw.Stop();
Console.WriteLine("PerfAddHostToConfig");
PrintTime(sw);
}
public async Task When_adding_csp_middleware_and_another_middleware_has_already_added_a_csp_header_the_middlewar_should_not_add_the_header()
{
var cfg = new ContentSecurityPolicyConfiguration();
cfg.ScriptSrc.AddKeyword(SourceListKeyword.Self);
var client = CspClientHelper.Create(cfg,
builder => builder.Use(async(ctx, next) => {
ctx.Response.OnSendingHeaders(ctx2 => {
((IOwinResponse)ctx2).Headers.Add(HeaderConstants.ContentSecurityPolicy, new [] { "Dummy" });
}, ctx.Response);
await next();
}));
var resp = await client.GetAsync("http://www.example.com");
var header = resp.Csp();
header.ShouldEqual("Dummy");
}
public SecureHeadersMiddlewareConfiguration()
{
UseHsts = false;
UseHpkp = false;
UseXFrameOptions = false;
UseXssProtection = false;
UseXContentTypeOptions = false;
UseContentSecurityPolicy = false;
UsePermittedCrossDomainPolicy = false;
UseReferrerPolicy = false;
HstsConfiguration = new HstsConfiguration();
HpkpConfiguration = new HPKPConfiguration();
XFrameOptionsConfiguration = new XFrameOptionsConfiguration();
XssConfiguration = new XssConfiguration();
ContentSecurityPolicyConfiguration = new ContentSecurityPolicyConfiguration();
PermittedCrossDomainPolicyConfiguration = new PermittedCrossDomainPolicyConfiguration();
ReferrerPolicy = new ReferrerPolicy();
}
private static void PerfAddHostToConfig()
{
var config = new ContentSecurityPolicyConfiguration();
var uriList = new List <string>();
for (int i = 0; i < iterations; i++)
{
uriList.Add(string.Format("https://www.example{0}.org/abcd{0}/", i));
}
PrepareTest(() => config.ScriptSrc.AddHost("https://www.example.org/abcd/"));
var sw = Stopwatch.StartNew();
for (int i = 0; i < iterations; i++)
{
config.ScriptSrc.AddHost(uriList[i]);
}
sw.Stop();
Console.WriteLine("PerfAddHostToConfig");
PrintTime(sw);
}
private static void PerfConfigToHeaderValue()
{
var config = new ContentSecurityPolicyConfiguration();
config.StyleSrc.AddKeyword(SourceListKeyword.Self);
config.Sandbox.SetToEmptyValue();
config.ConnectSrc.AddScheme("https");
config.PluginTypes.AddMediaType("application/xml");
config.BaseUri.AddScheme("https");
config.BaseUri.AddHost("www.example.org");
PrepareTest(() => config.ToHeaderValue());
var sw = new Stopwatch();
sw.Start();
for (int i = 0; i < iterations; i++) {
config.ToHeaderValue();
Trace.Write(i);
}
sw.Stop();
Console.WriteLine("PerfConfigToHeaderValue");
PrintTime(sw);
}
public void When_generating_header_value_and_no_configurations_are_set_return_empty_string()
{
var config = new ContentSecurityPolicyConfiguration();
config.ToHeaderValue().Should().BeEmpty();
}
public void When_set_scriptSrc_to_none_the_header_value_should_contain_the_directive_with_none()
{
var config = new ContentSecurityPolicyConfiguration();
config.ScriptSrc.SetToNone();
config.ToHeaderValue().Should().Be("script-src 'none'");
}
public void When_sandbox_value_is_set_to_empty_the_directive_should_be_created()
{
var config = new ContentSecurityPolicyConfiguration();
config.Sandbox.SetToEmptyValue();
config.ToHeaderValue().Split(new[] {";"}, StringSplitOptions.None).Select(item => item.Trim()).Should().OnlyContain(item => item == "sandbox");
}
public void When_generating_header_value_and_no_configurations_are_set_return_empty_string()
{
var config = new ContentSecurityPolicyConfiguration();
config.ToHeaderValue().Should().BeEmpty();
}
/// <summary>
/// Adds the "Content-Security-Policy-Report-Only" header with the given configuration to the response.
/// </summary>
/// <param name="builder">The IAppBuilder instance.</param>
/// <param name="configuration">The Content-Security-Policy configuration.</param>
/// <returns>The IAppBuilder instance.</returns>
public static IAppBuilder ContentSecurityPolicyReportOnly(this IAppBuilder builder, ContentSecurityPolicyConfiguration configuration)
{
builder.MustNotNull("builder");
builder.UseOwin().ContentSecurityPolicyReportOnly(configuration);
return(builder);
}
/// <summary>
/// Adds the "Content-Security-Policy-Report-Only" header with the given configuration to the response.
/// </summary>
/// <param name="builder">The IAppBuilder instance.</param>
/// <param name="configuration">The Content-Security-Policy configuration.</param>
/// <returns>The IAppBuilder instance.</returns>
public static IAppBuilder ContentSecurityPolicyReportOnly(this IAppBuilder builder, ContentSecurityPolicyConfiguration configuration)
{
builder.MustNotNull("builder");
builder.UseOwin().ContentSecurityPolicyReportOnly(configuration);
return builder;
}
