Esempio n. 1
0
        public static void AddScriptCspHeaders(this HttpResponse response, CspOptions options, string hash)
        {
            var csp1part  = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty;
            var cspHeader = $"default-src 'none'; script-src {csp1part}'{hash}'";

            AddCspHeaders(response.Headers, options, cspHeader);
        }
Esempio n. 2
0
 private static void AddCspHeaders(IHeaderDictionary headers, CspOptions options, string cspHeader)
 {
     if (!headers.ContainsKey("Content-Security-Policy"))
     {
         headers.Add("Content-Security-Policy", cspHeader);
     }
     if (options.AddDeprecatedHeader && !headers.ContainsKey("X-Content-Security-Policy"))
     {
         headers.Add("X-Content-Security-Policy", cspHeader);
     }
 }
Esempio n. 3
0
        public static void AddStyleCspHeaders(this HttpResponse response, CspOptions options, string hash, string frameSources)
        {
            var csp1part  = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty;
            var cspHeader = $"default-src 'none'; style-src {csp1part}'{hash}'";

            if (!string.IsNullOrEmpty(frameSources))
            {
                cspHeader += $"; frame-src {frameSources}";
            }

            AddCspHeaders(response.Headers, options, cspHeader);
        }