private void AppendSandboxFlag(StringBuilder policyBuilder, ContentSecurityPolicySandboxFlags flag, string flagValue) { if (SandboxFlags.HasFlag(flag)) { policyBuilder.Append(flagValue); } }
private SecurityHeadersPolicyBuilder WithCsp(bool reportOnly, string baseUri, bool blockAllMixedContent, string childSources, string connectSources, string defaultSources, string fontSources, string formAction, string frameAncestorsSources, string frameSources, string imageSources, string manifestSources, string mediaSources, string objectSources, string pluginTypes, string reportUri, ContentSecurityPolicyRequireSriFor?requireSriFor, bool sandbox, ContentSecurityPolicySandboxFlags sandboxFlags, string scriptSources, ContentSecurityPolicyInlineExecution scriptInlineExecution, string styleSources, ContentSecurityPolicyInlineExecution styleInlineExecution, bool upgradeInsecureRequests, string workerSources) { return(WithCsp(reportOnly, new ContentSecurityPolicyHeaderValue { BaseUri = baseUri, BlockAllMixedContent = blockAllMixedContent, ChildSources = childSources, ConnectSources = connectSources, DefaultSources = defaultSources, FontSources = fontSources, FormAction = formAction, FrameAncestorsSources = frameAncestorsSources, FrameSources = frameSources, ImageSources = imageSources, ManifestSources = manifestSources, MediaSources = mediaSources, ObjectSources = objectSources, PluginTypes = pluginTypes, ReportUri = reportUri, RequireSriFor = requireSriFor, Sandbox = sandbox, SandboxFlags = sandboxFlags, ScriptSources = scriptSources, ScriptInlineExecution = scriptInlineExecution, StyleSources = styleSources, StyleInlineExecution = styleInlineExecution, UpgradeInsecureRequests = upgradeInsecureRequests, WorkerSources = workerSources })); }
private void AppendSandboxDirectiveFlag(StringBuilder headerValueBuilder, ContentSecurityPolicySandboxFlags flag, string flagValue) { if (_sandboxFlags.HasFlag(flag)) { headerValueBuilder.Append(flagValue); } }
/// <summary> /// Instantiates a new <see cref="ContentSecurityPolicyHeaderValue"/>. /// </summary> public ContentSecurityPolicyHeaderValue() { _blockAllMixedContent = false; _defaultSources = NoneSource; _sandbox = false; _sandboxFlags = ContentSecurityPolicySandboxFlags.None; _scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse; _styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse; _upgradeInsecureRequests = false; }
/// <summary> /// Adds the Content Security Policy to the policy. /// </summary> /// <param name="baseUri">The list of URLs that can be used to specify the document base URL.</param> /// <param name="childSources">The source list for web workers and nested browsing contexts.</param> /// <param name="connectSources">The source list for fetch, XMLHttpRequest, WebSocket, and EventSource connections.</param> /// <param name="defaultSources">The default source list for directives which can fall back to the default sources.</param> /// <param name="fontSources">The source list for fonts loaded using @font-face.</param> /// <param name="formAction">The valid endpoints for form submissions.</param> /// <param name="frameAncestorsSources">The valid parents that may embed a page using the frame and iframe elements.</param> /// <param name="frameSources">The source list for nested browsing contexts loading using elements such as frame and iframe.</param> /// <param name="imageSources">The source list for of images and favicons.</param> /// <param name="manifestSources">The source list for manifest which can be applied to the resource.</param> /// <param name="mediaSources">The source list for loading media using the audio and video elements.</param> /// <param name="objectSources">The source list for the object, embed, and applet elements.</param> /// <param name="reportUri">The URL to which the user agent should send reports about policy violations.</param> /// <param name="requireSriFor">The value indicating if the use of Subresource Integrity is required for scripts or/and styles.</param> /// <param name="sandbox">The value indicating if sandbox policy should be applied.</param> /// <param name="sandboxFlags">The sandboxing flags (only used when Sandbox is true).</param> /// <param name="scriptSources">The source list for scripts.</param> /// <param name="scriptInlineExecution">The inline execution mode for scripts.</param> /// <param name="styleSources">The source list for stylesheets.</param> /// <param name="styleInlineExecution">The inline execution mode for stylesheets.</param> /// <param name="blockAllMixedContent">The value indicating if block-all-mixed-content directive should be included.</param> /// <param name="upgradeInsecureRequests">The value indicating if upgrade-insecure-requests directive should be included.</param> /// <param name="pluginTypes">The types of plugins that can be embedded into a document.</param> /// <param name="workerSources">The source list for Worker, SharedWorker, or ServiceWorker scripts.</param> /// <returns>The current policy builder.</returns> public SecurityHeadersPolicyBuilder WithCsp(string baseUri = null, string childSources = null, string connectSources = null, string defaultSources = ContentSecurityPolicyHeaderValue.NoneSource, string fontSources = null, string formAction = null, string frameAncestorsSources = null, string imageSources = null, string manifestSources = null, string mediaSources = null, string objectSources = null, string reportUri = null, bool sandbox = false, ContentSecurityPolicySandboxFlags sandboxFlags = ContentSecurityPolicySandboxFlags.None, string scriptSources = null, ContentSecurityPolicyInlineExecution scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, string styleSources = null, ContentSecurityPolicyInlineExecution styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, bool blockAllMixedContent = false, bool upgradeInsecureRequests = false, ContentSecurityPolicyRequireSriFor?requireSriFor = null, string pluginTypes = null, string workerSources = null, string frameSources = null) { return(WithCsp(false, baseUri, blockAllMixedContent, childSources, connectSources, defaultSources, fontSources, formAction, frameAncestorsSources, frameSources, imageSources, manifestSources, mediaSources, objectSources, pluginTypes, reportUri, requireSriFor, sandbox, sandboxFlags, scriptSources, scriptInlineExecution, styleSources, styleInlineExecution, upgradeInsecureRequests, workerSources)); }