public void ContentSecurityPolicyBuilder_Will_Generate_Expected_Header_Value()
{
var builder = new ContentSecurityPolicyBuilder()
.AddDefaultSource(x => x.AddSource(Source.Self))
.AddScriptSource(x =>
{
x.AddSource(Source.Self);
x.AddSource(Source.UnsafeInline);
})
.AddStyleSource(x =>
{
x.AddSource(Source.Self);
x.AddSource(Source.UnsafeInline);
x.AddUriSource("https://fonts.googleapis.com");
})
.AddFontSource(x =>
{
x.AddSource(Source.Self);
x.AddUriSource("https://fonts.gstatic.com");
x.AddDataSource("");
})
.AddBaseUri(x => x.AddSource(Source.Self));
var csp = builder.Build();
Assert.Equal(_fixture.ContentSecurityPolicy, csp.Value);
}
public void Add_Directive_Without_Helper_Method_Has_Same_Result_As_With()
{
var nonce = "1abc2df63bc";
var data = "abcbabcbabcbba12315245523875abc";
var builder = new ContentSecurityPolicyBuilder();
var builder2 = new ContentSecurityPolicyBuilder();
builder.AddDirective(Directive.BaseUri, x =>
{
x.AddNonceSource(nonce);
x.AddDataSource(data);
});
builder2.AddBaseUri(x =>
{
x.AddNonceSource(nonce);
x.AddDataSource(data);
});
var header = builder.Build();
var header2 = builder2.Build();
Assert.NotNull(header);
Assert.NotEmpty(header.Value);
Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name);
Assert.Equal($"base-uri 'nonce-{nonce}' data:{data};", header.Value);
Assert.Equal(header.Name, header2.Name);
Assert.Equal(header.Value, header2.Value);
Assert.NotEqual(header, header2);
}
public void No_Options_Return_Header_Without_Value()
{
var builder = new ContentSecurityPolicyBuilder();
var header = builder.Build();
Assert.NotNull(header);
Assert.Empty(header.Value);
Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name);
}
public void Default_CSP_Is_Always_The_Same()
{
var builder = new ContentSecurityPolicyBuilder();
var header = builder.Default().Build();
Assert.NotNull(header);
Assert.NotEmpty(header.Value);
Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name);
Assert.Equal(_fixture.DefaultCsp, header.Value);
}
public void PluginTypesDirectiveIsIncludedInTheResultingDirective()
{
var builder = new ContentSecurityPolicyBuilder();
builder.PluginTypes.Add("application/pdf");
var directives = builder.Build();
var pluginTypeDirective = directives.Single(x => x.Name == "plugin-types").ToString();
Assert.AreEqual("plugin-types application/pdf", pluginTypeDirective);
}
public void CSPWillContainMediaSrcElement()
{
// Arrange
var cspBuilder = new ContentSecurityPolicyBuilder();
// Act
var contentSecurityPolicy = cspBuilder.BuildPolicy();
// Assert
Assert.Contains("media-src", contentSecurityPolicy);
}
public void CustomPropertiesAreIncludedInResultingDirectives()
{
const string directiveName = "x-test-directive";
var builder = new ContentSecurityPolicyBuilder();
builder.Add(directiveName, customDirective =>
{
customDirective.AllowFromSelf();
});
var directives = builder.Build();
if (!directives.Any(x => x.Name == directiveName))
{
throw new AssertFailedException("The build CSP does not contain a '" + directiveName + "' directive.");
}
}
public void DefaultPropertiesAreIncludedInResultingDirectives()
{
var builder = new ContentSecurityPolicyBuilder();
var directives = builder.Build();
var directiveBuilders = builder.GetType()
.GetProperties()
.Where(x => typeof(ContentSecurityPolicyDirectiveBuilder).IsAssignableFrom(x.PropertyType));
foreach (var item in directiveBuilders)
{
var directiveBuilder = (ContentSecurityPolicyDirectiveBuilder)item.GetValue(builder);
var name = directiveBuilder.Build().Name;
if (!directives.Any(x => x.Name == name))
{
throw new AssertFailedException($"The built CSP does not contain a '{name}' directive for property {item.Name}.");
}
}
}
public static IApplicationBuilder UseThoughtHavenMvc(this IApplicationBuilder app,
IWebHostEnvironment environment, ContentSecurityPolicyBuilder csp,
string iisUrlRewriteFilePath, Action <IEndpointRouteBuilder>?configureRoutes = null)
{
Guard.Null(nameof(app), app);
Guard.Null(nameof(environment), environment);
Guard.Null(nameof(csp), csp);
Guard.NullOrWhiteSpace(nameof(iisUrlRewriteFilePath), iisUrlRewriteFilePath);
var options = new MvcBuilderOptions();
options.SecurityHeaders.Configure(csp);
options.Rewrite.IISUrlRewriteFilePath = iisUrlRewriteFilePath;
return(app.UseThoughtHavenMvc(environment, options, configureRoutes));
}
public static IApplicationBuilder UseThoughtHavenMvc(this IApplicationBuilder app,
IWebHostEnvironment environment, ContentSecurityPolicyBuilder csp,
Action <IEndpointRouteBuilder>?configureRoutes = null)
{
Guard.Null(nameof(app), app);
Guard.Null(nameof(environment), environment);
Guard.Null(nameof(csp), csp);
var options = new MvcBuilderOptions();
options.SecurityHeaders.Configure(csp);
return(app.UseThoughtHavenMvc(environment, options, configureRoutes));
}
public HeaderPolicyBuilder AddContentSecurity(ContentSecurityPolicyBuilder builder) => AddHeader(builder);
public void Configure(ContentSecurityPolicyBuilder csp) => this.ContentSecurityPolicy = Guard.Null(nameof(csp), csp).ToString();
