public static string GetPolicyString(this ReferrerPolicy policy)
{
switch (policy)
{
case ReferrerPolicy.Disabled:
throw new ArgumentOutOfRangeException(nameof(policy), "Disabled is not an actual referrer policy.");
case ReferrerPolicy.NoReferrer:
return("no-referrer");
case ReferrerPolicy.NoReferrerWhenDowngrade:
return("no-referrer-when-downgrade");
case ReferrerPolicy.SameOrigin:
return("same-origin");
case ReferrerPolicy.Origin:
return("origin");
case ReferrerPolicy.StrictOrigin:
return("strict-origin");
case ReferrerPolicy.OriginWhenCrossOrigin:
return("origin-when-cross-origin");
case ReferrerPolicy.StrictOriginWhenCrossOrigin:
return("strict-origin-when-cross-origin");
case ReferrerPolicy.UnsafeUrl:
return("unsafe-url");
default:
throw new ArgumentOutOfRangeException(nameof(policy), $"Unexpected value: {policy}");
}
}
public void MapToCoreType_UnknownValue_Throws()
{
const ReferrerPolicy invalid = (ReferrerPolicy)Int32.MaxValue;
Assert.False(Enum.IsDefined(typeof(ReferrerPolicyCore), (ReferrerPolicyCore)invalid));
Assert.Throws <ArgumentOutOfRangeException>(() => invalid.MapToCoreType());
}
/// <summary>
/// Initializes a new instance of the <see cref="ReferrerPolicyAttribute"/> class
/// </summary>
public ReferrerPolicyAttribute(ReferrerPolicy policy)
{
_config = new ReferrerPolicyConfiguration {
Policy = policy.MapToCoreType()
};
_configurationOverrideHelper = new HeaderConfigurationOverrideHelper();
_headerOverrideHelper = new HeaderOverrideHelper(new CspReportHelper());
}
public ReferrerPolicyMiddleware(RequestDelegate next, ReferrerPolicy policy)
{
this.policy = policy;
_next = next;
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
}
public static ReferrerPolicyCore MapToCoreType(this ReferrerPolicy policy)
{
var result = (ReferrerPolicyCore)policy;
if (!Enum.IsDefined(typeof(ReferrerPolicyCore), result))
{
throw new ArgumentOutOfRangeException(nameof(policy), $"The enum value {policy} was undefined in core enum type.");
}
return(result);
}
/// <summary>
/// The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
/// </summary>
/// <param name="response"></param>
/// <param name="value"></param>
/// <returns></returns>
public static HttpResponse SetReferrerPolicy(this HttpResponse response, ReferrerPolicy value)
{
response.Headers.Append("Referrer-Policy", value switch
{
ReferrerPolicy.NoReferrer => "no-referrer",
ReferrerPolicy.NoReferrerWhenDowngrade => "no-referrer-when-downgrade",
ReferrerPolicy.Origin => "origin",
ReferrerPolicy.OriginWhenCrossOrigin => "origin-when-cross-origin",
ReferrerPolicy.SameOrigin => "same-origin",
ReferrerPolicy.StrictOrigin => "strict-origin",
ReferrerPolicy.StrictOriginWhenCrossOrigin => "strict-origin-when-cross-origin",
_ => throw new Exception()
});
public SecureHeadersMiddlewareConfiguration()
{
UseHsts = false;
UseHpkp = false;
UseXFrameOptions = false;
UseXssProtection = false;
UseXContentTypeOptions = false;
UseContentSecurityPolicy = false;
UsePermittedCrossDomainPolicy = false;
UseReferrerPolicy = false;
HstsConfiguration = new HstsConfiguration();
HpkpConfiguration = new HPKPConfiguration();
XFrameOptionsConfiguration = new XFrameOptionsConfiguration();
XssConfiguration = new XssConfiguration();
ContentSecurityPolicyConfiguration = new ContentSecurityPolicyConfiguration();
PermittedCrossDomainPolicyConfiguration = new PermittedCrossDomainPolicyConfiguration();
ReferrerPolicy = new ReferrerPolicy();
}
public void ReferrerPolicySet(ReferrerPolicy policy)
{
_http.Header.SetupSet(a => a[Constants.ServerHeader] = Constants.Referrers[policy]).Verifiable();
AsyncTools.RunSync(() => new Middleware.ServerHeader(null, Constants.Referrers[policy]).Invoke(_http.ContextMock.Object));
_http.Header.Verify();
}
public void CreateReferrerPolicyResult_RPPolicyWithSamePolicyInConfig_ReturnsSetReferrerPolicyResult(ReferrerPolicy policy, string expected)
{
var referrerConfig = new ReferrerPolicyConfiguration {
Policy = policy
};
var oldreferrerConfig = new ReferrerPolicyConfiguration {
Policy = policy
};
var result = _generator.CreateReferrerPolicyResult(referrerConfig, oldreferrerConfig);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal("Referrer-Policy", result.Name);
Assert.Equal(expected, result.Value);
}
public async Task ReferrerPolicyHeaderMiddleware_EmitsReferrerPolicyOptionValue(ReferrerPolicy policy, string value)
{
// Arrane
var server = PersonalSiteTestServer.Create(app =>
{
app.UseReferrerPolicyHeader(policy);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(ReferrerPolicyHeaderMiddleware.ReferrerPolicyHeaderName));
Assert.Equal(value, response.Headers.GetValues(ReferrerPolicyHeaderMiddleware.ReferrerPolicyHeaderName).First());
}
public void NoReferrer()
{
Policy = ReferrerPolicy.NoReferrer;
}
public void ReferrerPolicyMapping(ReferrerPolicy policy, string val)
{
Assert.Equal(val, Constants.Referrers[policy]);
}
public void GetPolicyString_ValidPolicy_ReturnsPolicyString(ReferrerPolicy policy, string expectedPolicy)
{
var result = policy.GetPolicyString();
Assert.Equal(expectedPolicy, result);
}
public ReferrerPolicyMiddleware(RequestDelegate next, ReferrerPolicy policy)
{
_next = next;
Policy = policy;
_headerValue = HeaderValues[Policy];
}
/// <summary>
/// Initialises a new <see cref="ReferrerPolicyHeaderOptions"/> instance with a specified policy.
/// </summary>
/// <param name="policy">The referrer policy to use.</param>
public ReferrerPolicyHeaderOptions(ReferrerPolicy policy)
{
Policy = policy;
}
public void UnsafeUrl()
{
Policy = ReferrerPolicy.UnsafeUrl;
}
public void StrictOriginWhenCrossOrigin()
{
Policy = ReferrerPolicy.StrictOriginWhenCrossOrigin;
}
public void OriginWhenCrossOrigin()
{
Policy = ReferrerPolicy.OriginWhenCrossOrigin;
}
public void Origin()
{
Policy = ReferrerPolicy.Origin;
}
public void SameOrigin()
{
Policy = ReferrerPolicy.SameOrigin;
}
public void NoReferrerWhenDowngrade()
{
Policy = ReferrerPolicy.NoReferrerWhenDowngrade;
}
public static IApplicationBuilder UseReferrerPolicy(this IApplicationBuilder app, ReferrerPolicy policy)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
return(app.UseMiddleware <Middleware.ReferrerPolicy>(policy));
}
/// <summary>
/// Adds the Referrer-Policy header to all responses.
/// </summary>
/// <param name="app"></param>
/// <param name="policy"></param>
public static void UseReferrerPolicy(this IApplicationBuilder app, ReferrerPolicy policy = ReferrerPolicy.SameOrigin)
{
app.UseMiddleware <ReferrerPolicyMiddleware>(policy);
}
/// <summary>
/// Add Referrer policy options to the header
/// When you click a link on a website, the calling URL is automatically transferred to the linked site. Unless this is necessary, you should disable it using the Referrer-Policy header
/// By default This method will add header 'Referrer-Policy', 'no-referrer'
/// </summary>
/// <param name="policy">Referrer policy, default set to no-referrer</param>
public static IApplicationBuilder AddReferrerPolicyHeader(this IApplicationBuilder app, ReferrerPolicy policy = ReferrerPolicy.NoReferrer)
{
app.UseMiddleware <ReferrerPolicyMiddleware>(new OptionsWrapper <ReferrerPolicyModel>(new ReferrerPolicyModel(policy)));
return(app);
}
public void GetPolicyString_InvalidPolicy_Throws(ReferrerPolicy policy)
{
Assert.Throws <ArgumentOutOfRangeException>(() => policy.GetPolicyString());
}
/// <summary>
/// Defines the parameters for the Referrer policy header with 'no-referrer' option set
/// </summary>
public ReferrerPolicyModel(ReferrerPolicy referrerPolicy)
{
this.ReferrerPolicy = referrerPolicy;
}
/// <summary>
/// The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
/// </summary>
/// <param name="builder"></param>
/// <param name="value"></param>
/// <returns></returns>
public static IApplicationBuilder AddReferrerPolicy(this IApplicationBuilder builder, ReferrerPolicy value)
{
builder.Use((context, next) =>
{
context.Response.SetReferrerPolicy(value);
return(next());
});
return(builder);
}
/// <summary> /// Typically when users are directed away from your site they have a referrer header. This says where the request is coming from, which has privacy implications for your users. /// </summary> /// <param name="app"></param> /// <param name="policy">A referrer policy. You can read more about them here: https://www.w3.org/TR/referrer-policy/#referrer-policies </param> /// <returns></returns> public static IApplicationBuilder UseReferrerPolicy(this IApplicationBuilder app, ReferrerPolicy policy) => app.UseMiddleware <ReferrerPolicyMiddleware>(policy);
/// <summary>
/// Specifies a policy that determines when the <c>Referer</c> header is sent.
/// </summary>
/// <param name="builder">
/// The builder being used to configure the response headers.
/// </param>
/// <param name="referrerPolicy">
/// A value that specifies the algorithm used to populate the
/// <c>Referer</c> header.
/// </param>
/// <returns>
/// A reference to <paramref name="builder"/> with the specified Referrer Policy.
/// </returns>
public static ResponseHeadersOptionsBuilder AddReferrerPolicy(this ResponseHeadersOptionsBuilder builder, ReferrerPolicy referrerPolicy)
{
return(builder.Add("Referrer-Policy", referrerPolicy.ToString()));
}
public static IServiceCollection AddReferrerPolicy(this IServiceCollection services, ReferrerPolicy policy = ReferrerPolicy.SameOrigin)
{
return(services.AddReferrerPolicy(new ReferrerPolicyOptions(policy)));
}
