public void ContentSecurityPolicyBuilder_Will_Generate_Expected_Header_Value() { var builder = new ContentSecurityPolicyBuilder() .AddDefaultSource(x => x.AddSource(Source.Self)) .AddScriptSource(x => { x.AddSource(Source.Self); x.AddSource(Source.UnsafeInline); }) .AddStyleSource(x => { x.AddSource(Source.Self); x.AddSource(Source.UnsafeInline); x.AddUriSource("https://fonts.googleapis.com"); }) .AddFontSource(x => { x.AddSource(Source.Self); x.AddUriSource("https://fonts.gstatic.com"); x.AddDataSource(""); }) .AddBaseUri(x => x.AddSource(Source.Self)); var csp = builder.Build(); Assert.Equal(_fixture.ContentSecurityPolicy, csp.Value); }
public void Add_Directive_Without_Helper_Method_Has_Same_Result_As_With() { var nonce = "1abc2df63bc"; var data = "abcbabcbabcbba12315245523875abc"; var builder = new ContentSecurityPolicyBuilder(); var builder2 = new ContentSecurityPolicyBuilder(); builder.AddDirective(Directive.BaseUri, x => { x.AddNonceSource(nonce); x.AddDataSource(data); }); builder2.AddBaseUri(x => { x.AddNonceSource(nonce); x.AddDataSource(data); }); var header = builder.Build(); var header2 = builder2.Build(); Assert.NotNull(header); Assert.NotEmpty(header.Value); Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name); Assert.Equal($"base-uri 'nonce-{nonce}' data:{data};", header.Value); Assert.Equal(header.Name, header2.Name); Assert.Equal(header.Value, header2.Value); Assert.NotEqual(header, header2); }
public void No_Options_Return_Header_Without_Value() { var builder = new ContentSecurityPolicyBuilder(); var header = builder.Build(); Assert.NotNull(header); Assert.Empty(header.Value); Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name); }
public void Default_CSP_Is_Always_The_Same() { var builder = new ContentSecurityPolicyBuilder(); var header = builder.Default().Build(); Assert.NotNull(header); Assert.NotEmpty(header.Value); Assert.Equal(Header.ContentSecurityPolicy.Name, header.Name); Assert.Equal(_fixture.DefaultCsp, header.Value); }
public void PluginTypesDirectiveIsIncludedInTheResultingDirective() { var builder = new ContentSecurityPolicyBuilder(); builder.PluginTypes.Add("application/pdf"); var directives = builder.Build(); var pluginTypeDirective = directives.Single(x => x.Name == "plugin-types").ToString(); Assert.AreEqual("plugin-types application/pdf", pluginTypeDirective); }
public void CSPWillContainMediaSrcElement() { // Arrange var cspBuilder = new ContentSecurityPolicyBuilder(); // Act var contentSecurityPolicy = cspBuilder.BuildPolicy(); // Assert Assert.Contains("media-src", contentSecurityPolicy); }
public void CustomPropertiesAreIncludedInResultingDirectives() { const string directiveName = "x-test-directive"; var builder = new ContentSecurityPolicyBuilder(); builder.Add(directiveName, customDirective => { customDirective.AllowFromSelf(); }); var directives = builder.Build(); if (!directives.Any(x => x.Name == directiveName)) { throw new AssertFailedException("The build CSP does not contain a '" + directiveName + "' directive."); } }
public void DefaultPropertiesAreIncludedInResultingDirectives() { var builder = new ContentSecurityPolicyBuilder(); var directives = builder.Build(); var directiveBuilders = builder.GetType() .GetProperties() .Where(x => typeof(ContentSecurityPolicyDirectiveBuilder).IsAssignableFrom(x.PropertyType)); foreach (var item in directiveBuilders) { var directiveBuilder = (ContentSecurityPolicyDirectiveBuilder)item.GetValue(builder); var name = directiveBuilder.Build().Name; if (!directives.Any(x => x.Name == name)) { throw new AssertFailedException($"The built CSP does not contain a '{name}' directive for property {item.Name}."); } } }
public static IApplicationBuilder UseThoughtHavenMvc(this IApplicationBuilder app, IWebHostEnvironment environment, ContentSecurityPolicyBuilder csp, string iisUrlRewriteFilePath, Action <IEndpointRouteBuilder>?configureRoutes = null) { Guard.Null(nameof(app), app); Guard.Null(nameof(environment), environment); Guard.Null(nameof(csp), csp); Guard.NullOrWhiteSpace(nameof(iisUrlRewriteFilePath), iisUrlRewriteFilePath); var options = new MvcBuilderOptions(); options.SecurityHeaders.Configure(csp); options.Rewrite.IISUrlRewriteFilePath = iisUrlRewriteFilePath; return(app.UseThoughtHavenMvc(environment, options, configureRoutes)); }
public static IApplicationBuilder UseThoughtHavenMvc(this IApplicationBuilder app, IWebHostEnvironment environment, ContentSecurityPolicyBuilder csp, Action <IEndpointRouteBuilder>?configureRoutes = null) { Guard.Null(nameof(app), app); Guard.Null(nameof(environment), environment); Guard.Null(nameof(csp), csp); var options = new MvcBuilderOptions(); options.SecurityHeaders.Configure(csp); return(app.UseThoughtHavenMvc(environment, options, configureRoutes)); }
public HeaderPolicyBuilder AddContentSecurity(ContentSecurityPolicyBuilder builder) => AddHeader(builder);
public void Configure(ContentSecurityPolicyBuilder csp) => this.ContentSecurityPolicy = Guard.Null(nameof(csp), csp).ToString();