public async Task CspHeaderIsNotIncluded_WhenRequestHeadersAlreadyContainCspReportOnlyHeader() { bool cspHeaderExists = true; RequestDelegate mockNext = (HttpContext ctx) => { cspHeaderExists = ctx.Response.Headers.ContainsKey("Content-Security-Policy"); return(Task.CompletedTask); }; var options = Options.Create(new CspOptions() { Default = new Csp.Options.CspDefaultSrcOptions { AllowAny = true } }); var sut = new CspMiddleware(mockNext, options); var mockContext = new DefaultHttpContext(); mockContext.Response.Headers.Add("Content-Security-Policy-Report-Only", "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"); await sut.Invoke(mockContext); //Header not added since a report-only version already is there Assert.False(cspHeaderExists); }
public async Task CspHeaderIsNotIncluded_WhenInvokedWithShouldNotSendDelegate_ThatSetsShouldNotSendToTrue() { bool cspHeaderExists = true; RequestDelegate mockNext = (HttpContext ctx) => { cspHeaderExists = ctx.Response.Headers.ContainsKey("Content-Security-Policy"); return Task.CompletedTask; }; var options = Options.Create(new CspOptions() { Default = new Csp.Options.CspDefaultSrcOptions { AllowAny = true }, OnSendingHeader = ctx => { ctx.ShouldNotSend = true; return Task.CompletedTask; } }); var mockContext = new DefaultHttpContext(); var sut = new CspMiddleware(mockNext, options); await sut.Invoke(mockContext); Assert.False(cspHeaderExists); }
public async Task CspHeaderIsNotIncluded_WhenRequestHeadersAlreadyContainCspHeader() { RequestDelegate mockNext = (HttpContext ctx) => { return(Task.CompletedTask); }; var options = Options.Create(new CspOptions() { Default = new Csp.Options.CspDefaultSrcOptions { AllowAny = true } }); var sut = new CspMiddleware(mockNext, options); var mockContext = new DefaultHttpContext(); mockContext.Response.Headers.Add("Content-Security-Policy", "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"); await sut.Invoke(mockContext); //Invoke throws System.ArgumentException if it tries to add the header again }