private IContentSecurityPolicy Map(Item i)
{
IContentSecurityPolicy p = new ContentSecurityPolicy();
p.Default = GetDefaultSecurityPolicy(i);
p.Script = GetScriptSecurityPolicy(i);
p.Style = GetStyleSecurityPolicy(i);
p.Image = GetImageSecurityPolicy(i);
p.Font = GetFontSecurityPolicy(i);
p.Connect = GetConnectSecurityPolicy(i);
p.Media = GetMediaSecurityPolicy(i);
p.Object = GetObjectSecurityPolicy(i);
p.Child = GetChildSecurityPolicy(i);
p.FrameAncestors = GetFrameAncestorsSecurityPolicy(i);
p.FormAction = GetFormActionSecurityPolicy(i);
p.Manifest = GetManifestSecurityPolicy(i);
//p.Referrer = GetReferrerOptions(i);
//p.Sandbox = GetSandboxOptions(i);
p.ReflectedXss = GetReflectedXssOptions(i);
p.BaseUri = GetBaseUri(i);
p.BlockAllMixedContent = GetMixedContentSetting(i);
p.PluginTypes = GetPluginTypes(i);
p.ReportOnly = GetReportOnlyOption(i);
p.ReportUri = GetReportUri(i);
p.UpgradeInsecureRequests = GetUpgradeInsecureRequestsOptions(i);
return(p);
}
public void AmendedUpdateIgnoresDuplicates()
{
var policy = new ContentSecurityPolicy().AppendPolicy("img-src: https://www.example.org https://www.w3.org");
policy.AppendPolicy("img-src: https://www.example.org https://example.org");
Assert.AreEqual("img-src: https://www.example.org https://www.w3.org https://example.org", policy.ToString());
}
public void Test2()
{
IContentSecurityPolicy policy = new ContentSecurityPolicy();
var a = GetSourceSettings <DefaultContentSecurityPolicySource>();
var b = GetSourceSettings <ScriptContentSecurityPolicySource>();
var result = policy.ToString();
}
public ContentSecurityPolicyMiddleware(RequestDelegate next, ContentSecurityPolicy policy)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
_policy = ContentSecurityHeaderBuilder.Build(policy);
_next = next;
}
protected void Page_Load(object sender, System.EventArgs e)
{
// Since content refreshed every 15 mins, set date modified of content to today
this.headContent.DateModified = DateTimeFormatter.ISODate(DateTime.Today);
var policy = new ContentSecurityPolicy(HttpContext.Current.Request.Url);
policy.AppendFromConfig("GoogleMaps");
policy.AppendFromConfig("Roadworks");
policy.UpdateHeader(System.Web.HttpContext.Current.Response);
}
public void AddingScriptAddsHashToHeaderValue()
{
var testPolicy = ContentSecurityPolicy.Empty();
var scriptContents = "console.log('example script');";
var scriptBytes = Encoding.UTF8.GetBytes(scriptContents);
var hashedContents = SHA256Managed.Create().ComputeHash(scriptBytes).Select(x => x.ToString("x2")).Aggregate((a, b) => $"{a}{b}");
Assert.AreEqual($"script-src 'sha256-{hashedContents}';", testPolicy.AddScript(scriptContents).GetHeaderValue());
}
public void TestMethod1()
{
ContentSecurityPolicy policy = new ContentSecurityPolicy();
policy.Default.Hostnames = "www.google.com";
policy.Default.Options = new ContentSecurityPolicyOptions()
{
Self = true,
Data = true
};
var result = policy.ToString();
;
}
public void SetContentSecurityPolicy(ContentSecurityPolicy policy)
{
string headerName =
(policy.ReportOnly) ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
if (policy.SupportNonces)
{
this.SetHeader(headerName, policy.ToHeader);
}
else
{
this.SetHeader(headerName, policy.ToHeader(null));
}
}
private ScannerResult CheckCSP(ScannerRequest request, StringBuilder sb, StringBuilder linkBuilder = null)
{
ScannerResult result = ContentSecurityPolicy.Check(request);
if (result.Success)
{
sb.Append("\tCSP Vulnerability Found! " + request.URL + "! Email sent." + result.Results.First());
SendEmail("\tCSP Vulnerability Found ", request.URL + " appears to have unclaimed CSP URLS: " + Environment.NewLine + result.Results.First());
if (linkBuilder != null)
{
linkBuilder.Append(String.Join(Environment.NewLine, result.Results.ToArray()) + Environment.NewLine);
}
}
else
{
sb.Append("\tNo CSP found." + Environment.NewLine);
}
return(result);
}
internal static string Build(ContentSecurityPolicy policy)
{
var stringBuilder = new StringBuilder();
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.DefaultSrc);
stringBuilder.Append($" {string.Join(" ", policy.DefaultSrc)}; ");
}
if (policy.ScriptSrc != null && policy.ScriptSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.ScriptSrc);
stringBuilder.Append($" {string.Join(" ", policy.ScriptSrc)}; ");
}
if (policy.StyleSrc != null && policy.StyleSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.StyleSrc);
stringBuilder.Append($" {string.Join(" ", policy.StyleSrc)}; ");
}
if (policy.ImgSrc != null && policy.ImgSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.ImgSrc);
stringBuilder.Append($" {string.Join(" ", policy.ImgSrc)}; ");
}
if (policy.ConnectSrc != null && policy.ConnectSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.ConnectSrc);
stringBuilder.Append($" {string.Join(" ", policy.ConnectSrc)}; ");
}
if (policy.FontSrc != null && policy.FontSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.FontSrc);
stringBuilder.Append($" {string.Join(" ", policy.FontSrc)}; ");
}
if (policy.ObjectSrc != null && policy.ObjectSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.ObjectSrc);
stringBuilder.Append($" {string.Join(" ", policy.ObjectSrc)}; ");
}
if (policy.MediaSrc != null && policy.MediaSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.MediaSrc);
stringBuilder.Append($" {string.Join(" ", policy.MediaSrc)}; ");
}
if (policy.ChildSrc != null && policy.ChildSrc.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.ChildSrc);
stringBuilder.Append($" {string.Join(" ", policy.ChildSrc)}; ");
}
if (policy.FormAction != null && policy.FormAction.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.FormAction);
stringBuilder.Append($" {string.Join(" ", policy.FormAction)}; ");
}
if (policy.FrameAncestors != null && policy.FrameAncestors.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.FrameAncestors);
stringBuilder.Append($" {string.Join(" ", policy.FrameAncestors)}; ");
}
if (policy.Sandbox != null)
{
stringBuilder.Append(Constants.CspDirectives.Sandbox);
stringBuilder.Append($" {policy.Sandbox.Value}; ");
}
if (policy.PluginTypes != null && policy.PluginTypes.Count > 0)
{
stringBuilder.Append(Constants.CspDirectives.PluginTypes);
stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; ");
}
return(stringBuilder.ToString().TrimEnd());
}
public static IApplicationBuilder UseContentSecurityPolicy(this IApplicationBuilder app, ContentSecurityPolicy policy)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
return(app.UseMiddleware <Middleware.ContentSecurityPolicy>(policy));
}
public static string Build(ContentSecurityPolicy policy)
{
var stringBuilder = new StringBuilder();
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.DefaultSrc);
stringBuilder.Append($" {string.Join(" ", policy.DefaultSrc)}; ");
}
if (policy.ScriptSrc != null && policy.ScriptSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.ScriptSrc);
stringBuilder.Append($" {string.Join(" ", policy.ScriptSrc)}; ");
}
if (policy.StyleSrc != null && policy.StyleSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.StyleSrc);
stringBuilder.Append($" {string.Join(" ", policy.StyleSrc)}; ");
}
if (policy.ImgSrc != null && policy.ImgSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.ImgSrc);
stringBuilder.Append($" {string.Join(" ", policy.ImgSrc)}; ");
}
if (policy.ConnectSrc != null && policy.ConnectSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.ConnectSrc);
stringBuilder.Append($" {string.Join(" ", policy.ConnectSrc)}; ");
}
if (policy.FontSrc != null && policy.FontSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.FontSrc);
stringBuilder.Append($" {string.Join(" ", policy.FontSrc)}; ");
}
if (policy.ObjectSrc != null && policy.ObjectSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.ObjectSrc);
stringBuilder.Append($" {string.Join(" ", policy.ObjectSrc)}; ");
}
if (policy.MediaSrc != null && policy.MediaSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.MediaSrc);
stringBuilder.Append($" {string.Join(" ", policy.MediaSrc)}; ");
}
if (policy.ChildSrc != null && policy.ChildSrc.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.ChildSrc);
stringBuilder.Append($" {string.Join(" ", policy.ChildSrc)}; ");
}
if (policy.FormAction != null && policy.FormAction.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.FormAction);
stringBuilder.Append($" {string.Join(" ", policy.FormAction)}; ");
}
if (policy.FrameAncestors != null && policy.FrameAncestors.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.FrameAncestors);
stringBuilder.Append($" {string.Join(" ", policy.FrameAncestors)}; ");
}
if (policy.Sandbox != null)
{
stringBuilder.Append(Constants.CSPDirectives.Sandbox);
stringBuilder.Append($" {policy.Sandbox.Value}; ");
}
if (!string.IsNullOrWhiteSpace(policy.ReportUri))
{
if (policy.OnlySendReport)
{
stringBuilder.Append(Constants.CSPDirectives.ReportUriReportOnly);
}
else
{
stringBuilder.Append(Constants.CSPDirectives.ReportUri);
}
stringBuilder.Append($" {policy.ReportUri}; ");
}
if (policy.PluginTypes != null && policy.PluginTypes.Count > 0)
{
stringBuilder.Append(Constants.CSPDirectives.PluginTypes);
stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; ");
}
if (policy.UpgradeInsecureRequests)
{
stringBuilder.Append($"{Constants.CSPDirectives.UpgradeInsecureRequests}; ");
}
return(stringBuilder.ToString().TrimEnd());
}
/// <summary> /// The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks /// </summary> /// <param name="app"></param> /// <param name="policy"></param> /// <returns></returns> public static IApplicationBuilder UseContentSecurityPolicy(this IApplicationBuilder app, ContentSecurityPolicy policy) => app.UseMiddleware <ContentSecurityPolicyMiddleware>(policy);
public void AddingScriptReturnsNewPolicy()
{
var testPolicy = ContentSecurityPolicy.Empty();
Assert.AreNotSame(testPolicy, testPolicy.AddScript("console.log('example script');"));
}
