private IContentSecurityPolicy Map(Item i) { IContentSecurityPolicy p = new ContentSecurityPolicy(); p.Default = GetDefaultSecurityPolicy(i); p.Script = GetScriptSecurityPolicy(i); p.Style = GetStyleSecurityPolicy(i); p.Image = GetImageSecurityPolicy(i); p.Font = GetFontSecurityPolicy(i); p.Connect = GetConnectSecurityPolicy(i); p.Media = GetMediaSecurityPolicy(i); p.Object = GetObjectSecurityPolicy(i); p.Child = GetChildSecurityPolicy(i); p.FrameAncestors = GetFrameAncestorsSecurityPolicy(i); p.FormAction = GetFormActionSecurityPolicy(i); p.Manifest = GetManifestSecurityPolicy(i); //p.Referrer = GetReferrerOptions(i); //p.Sandbox = GetSandboxOptions(i); p.ReflectedXss = GetReflectedXssOptions(i); p.BaseUri = GetBaseUri(i); p.BlockAllMixedContent = GetMixedContentSetting(i); p.PluginTypes = GetPluginTypes(i); p.ReportOnly = GetReportOnlyOption(i); p.ReportUri = GetReportUri(i); p.UpgradeInsecureRequests = GetUpgradeInsecureRequestsOptions(i); return(p); }
public void AmendedUpdateIgnoresDuplicates() { var policy = new ContentSecurityPolicy().AppendPolicy("img-src: https://www.example.org https://www.w3.org"); policy.AppendPolicy("img-src: https://www.example.org https://example.org"); Assert.AreEqual("img-src: https://www.example.org https://www.w3.org https://example.org", policy.ToString()); }
public void Test2() { IContentSecurityPolicy policy = new ContentSecurityPolicy(); var a = GetSourceSettings <DefaultContentSecurityPolicySource>(); var b = GetSourceSettings <ScriptContentSecurityPolicySource>(); var result = policy.ToString(); }
public ContentSecurityPolicyMiddleware(RequestDelegate next, ContentSecurityPolicy policy) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } _policy = ContentSecurityHeaderBuilder.Build(policy); _next = next; }
protected void Page_Load(object sender, System.EventArgs e) { // Since content refreshed every 15 mins, set date modified of content to today this.headContent.DateModified = DateTimeFormatter.ISODate(DateTime.Today); var policy = new ContentSecurityPolicy(HttpContext.Current.Request.Url); policy.AppendFromConfig("GoogleMaps"); policy.AppendFromConfig("Roadworks"); policy.UpdateHeader(System.Web.HttpContext.Current.Response); }
public void AddingScriptAddsHashToHeaderValue() { var testPolicy = ContentSecurityPolicy.Empty(); var scriptContents = "console.log('example script');"; var scriptBytes = Encoding.UTF8.GetBytes(scriptContents); var hashedContents = SHA256Managed.Create().ComputeHash(scriptBytes).Select(x => x.ToString("x2")).Aggregate((a, b) => $"{a}{b}"); Assert.AreEqual($"script-src 'sha256-{hashedContents}';", testPolicy.AddScript(scriptContents).GetHeaderValue()); }
public void TestMethod1() { ContentSecurityPolicy policy = new ContentSecurityPolicy(); policy.Default.Hostnames = "www.google.com"; policy.Default.Options = new ContentSecurityPolicyOptions() { Self = true, Data = true }; var result = policy.ToString(); ; }
public void SetContentSecurityPolicy(ContentSecurityPolicy policy) { string headerName = (policy.ReportOnly) ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"; if (policy.SupportNonces) { this.SetHeader(headerName, policy.ToHeader); } else { this.SetHeader(headerName, policy.ToHeader(null)); } }
private ScannerResult CheckCSP(ScannerRequest request, StringBuilder sb, StringBuilder linkBuilder = null) { ScannerResult result = ContentSecurityPolicy.Check(request); if (result.Success) { sb.Append("\tCSP Vulnerability Found! " + request.URL + "! Email sent." + result.Results.First()); SendEmail("\tCSP Vulnerability Found ", request.URL + " appears to have unclaimed CSP URLS: " + Environment.NewLine + result.Results.First()); if (linkBuilder != null) { linkBuilder.Append(String.Join(Environment.NewLine, result.Results.ToArray()) + Environment.NewLine); } } else { sb.Append("\tNo CSP found." + Environment.NewLine); } return(result); }
internal static string Build(ContentSecurityPolicy policy) { var stringBuilder = new StringBuilder(); if (policy == null) { throw new ArgumentNullException(nameof(policy)); } if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.DefaultSrc); stringBuilder.Append($" {string.Join(" ", policy.DefaultSrc)}; "); } if (policy.ScriptSrc != null && policy.ScriptSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.ScriptSrc); stringBuilder.Append($" {string.Join(" ", policy.ScriptSrc)}; "); } if (policy.StyleSrc != null && policy.StyleSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.StyleSrc); stringBuilder.Append($" {string.Join(" ", policy.StyleSrc)}; "); } if (policy.ImgSrc != null && policy.ImgSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.ImgSrc); stringBuilder.Append($" {string.Join(" ", policy.ImgSrc)}; "); } if (policy.ConnectSrc != null && policy.ConnectSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.ConnectSrc); stringBuilder.Append($" {string.Join(" ", policy.ConnectSrc)}; "); } if (policy.FontSrc != null && policy.FontSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.FontSrc); stringBuilder.Append($" {string.Join(" ", policy.FontSrc)}; "); } if (policy.ObjectSrc != null && policy.ObjectSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.ObjectSrc); stringBuilder.Append($" {string.Join(" ", policy.ObjectSrc)}; "); } if (policy.MediaSrc != null && policy.MediaSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.MediaSrc); stringBuilder.Append($" {string.Join(" ", policy.MediaSrc)}; "); } if (policy.ChildSrc != null && policy.ChildSrc.Count > 0) { stringBuilder.Append(Constants.CspDirectives.ChildSrc); stringBuilder.Append($" {string.Join(" ", policy.ChildSrc)}; "); } if (policy.FormAction != null && policy.FormAction.Count > 0) { stringBuilder.Append(Constants.CspDirectives.FormAction); stringBuilder.Append($" {string.Join(" ", policy.FormAction)}; "); } if (policy.FrameAncestors != null && policy.FrameAncestors.Count > 0) { stringBuilder.Append(Constants.CspDirectives.FrameAncestors); stringBuilder.Append($" {string.Join(" ", policy.FrameAncestors)}; "); } if (policy.Sandbox != null) { stringBuilder.Append(Constants.CspDirectives.Sandbox); stringBuilder.Append($" {policy.Sandbox.Value}; "); } if (policy.PluginTypes != null && policy.PluginTypes.Count > 0) { stringBuilder.Append(Constants.CspDirectives.PluginTypes); stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; "); } return(stringBuilder.ToString().TrimEnd()); }
public static IApplicationBuilder UseContentSecurityPolicy(this IApplicationBuilder app, ContentSecurityPolicy policy) { if (app == null) { throw new ArgumentNullException(nameof(app)); } return(app.UseMiddleware <Middleware.ContentSecurityPolicy>(policy)); }
public static string Build(ContentSecurityPolicy policy) { var stringBuilder = new StringBuilder(); if (policy == null) { throw new ArgumentNullException(nameof(policy)); } if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.DefaultSrc); stringBuilder.Append($" {string.Join(" ", policy.DefaultSrc)}; "); } if (policy.ScriptSrc != null && policy.ScriptSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.ScriptSrc); stringBuilder.Append($" {string.Join(" ", policy.ScriptSrc)}; "); } if (policy.StyleSrc != null && policy.StyleSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.StyleSrc); stringBuilder.Append($" {string.Join(" ", policy.StyleSrc)}; "); } if (policy.ImgSrc != null && policy.ImgSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.ImgSrc); stringBuilder.Append($" {string.Join(" ", policy.ImgSrc)}; "); } if (policy.ConnectSrc != null && policy.ConnectSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.ConnectSrc); stringBuilder.Append($" {string.Join(" ", policy.ConnectSrc)}; "); } if (policy.FontSrc != null && policy.FontSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.FontSrc); stringBuilder.Append($" {string.Join(" ", policy.FontSrc)}; "); } if (policy.ObjectSrc != null && policy.ObjectSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.ObjectSrc); stringBuilder.Append($" {string.Join(" ", policy.ObjectSrc)}; "); } if (policy.MediaSrc != null && policy.MediaSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.MediaSrc); stringBuilder.Append($" {string.Join(" ", policy.MediaSrc)}; "); } if (policy.ChildSrc != null && policy.ChildSrc.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.ChildSrc); stringBuilder.Append($" {string.Join(" ", policy.ChildSrc)}; "); } if (policy.FormAction != null && policy.FormAction.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.FormAction); stringBuilder.Append($" {string.Join(" ", policy.FormAction)}; "); } if (policy.FrameAncestors != null && policy.FrameAncestors.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.FrameAncestors); stringBuilder.Append($" {string.Join(" ", policy.FrameAncestors)}; "); } if (policy.Sandbox != null) { stringBuilder.Append(Constants.CSPDirectives.Sandbox); stringBuilder.Append($" {policy.Sandbox.Value}; "); } if (!string.IsNullOrWhiteSpace(policy.ReportUri)) { if (policy.OnlySendReport) { stringBuilder.Append(Constants.CSPDirectives.ReportUriReportOnly); } else { stringBuilder.Append(Constants.CSPDirectives.ReportUri); } stringBuilder.Append($" {policy.ReportUri}; "); } if (policy.PluginTypes != null && policy.PluginTypes.Count > 0) { stringBuilder.Append(Constants.CSPDirectives.PluginTypes); stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; "); } if (policy.UpgradeInsecureRequests) { stringBuilder.Append($"{Constants.CSPDirectives.UpgradeInsecureRequests}; "); } return(stringBuilder.ToString().TrimEnd()); }
/// <summary> /// The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks /// </summary> /// <param name="app"></param> /// <param name="policy"></param> /// <returns></returns> public static IApplicationBuilder UseContentSecurityPolicy(this IApplicationBuilder app, ContentSecurityPolicy policy) => app.UseMiddleware <ContentSecurityPolicyMiddleware>(policy);
public void AddingScriptReturnsNewPolicy() { var testPolicy = ContentSecurityPolicy.Empty(); Assert.AreNotSame(testPolicy, testPolicy.AddScript("console.log('example script');")); }