public async Task ContentSecurityPolicyMiddlewareTest_invoke_otherTypes() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.Scheme = "http"; var authMiddleware = new ContentSecurityPolicyMiddleware((innerHttpContext) => Task.FromResult(0)); // Act await authMiddleware.Invoke(httpContext); // test var referrerPolicy = httpContext.Response.Headers["Referrer-Policy"].ToString(); Assert.AreEqual("no-referrer", referrerPolicy); var frameOptions = httpContext.Response.Headers["X-Frame-Options"].ToString(); Assert.AreEqual("DENY", frameOptions); // X-Xss-Protection var xssProtection = httpContext.Response.Headers["X-Xss-Protection"].ToString(); Assert.AreEqual("1; mode=block", xssProtection); // X-Content-Type-Options var contentTypeOptions = httpContext.Response.Headers["X-Content-Type-Options"].ToString(); Assert.AreEqual("nosniff", contentTypeOptions); }
public void ContentSecurityPolicyMiddleware_adds_CrazyEgg() { var context = new DefaultHttpContext(); context.Response.ContentType = "text/html"; var environment = new Mock <IHostingEnvironment>(); ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>()); Assert.Contains("https://*.crazyegg.com", context.Response.Headers["Content-Security-Policy"].ToString()); }
public void ContentSecurityPolicyMiddleware_adds_EastSussexGovUK_defaults() { var context = new DefaultHttpContext(); context.Response.ContentType = "text/html"; var environment = new Mock <IHostingEnvironment>(); ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>()); Assert.Contains("https://www.eastsussex.gov.uk", context.Response.Headers["Content-Security-Policy"].ToString()); }
public void ContentSecurityPolicyMiddleware_does_not_add_header_to_text_response() { var context = new DefaultHttpContext(); context.Response.ContentType = "text/plain"; var environment = new Mock <IHostingEnvironment>(); ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>()); Assert.False(context.Response.Headers.TryGetValue("Content-Security-Policy", out var someHeader)); }
public void ContentSecurityPolicyMiddleware_adds_policy_from_startup() { var context = new DefaultHttpContext(); context.Response.ContentType = "text/html"; var environment = new Mock <IHostingEnvironment>(); var policyFromStartup = new CspOptions().AddYouTube(); ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, policyFromStartup, new List <ContentSecurityPolicyDependency>()); Assert.Contains("https://www.youtube-nocookie.com", context.Response.Headers["Content-Security-Policy"].ToString()); }
public void ContentSecurityPolicyMiddleware_excludes_localhost_in_production() { var context = new DefaultHttpContext(); context.Response.ContentType = "text/html"; var environment = new Mock <IHostingEnvironment>(); environment.Setup(x => x.EnvironmentName).Returns(EnvironmentName.Production); ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>()); Assert.DoesNotContain("https://localhost", context.Response.Headers["Content-Security-Policy"].ToString()); }
public async Task ContentSecurityPolicyMiddlewareTest_invoke_testContent() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.Scheme = "http"; var authMiddleware = new ContentSecurityPolicyMiddleware(next: (innerHttpContext) => Task.FromResult(0)); // Act await authMiddleware.Invoke(httpContext); //test var csp = httpContext.Response.Headers["Content-Security-Policy"].ToString(); Assert.AreEqual(true, csp.Contains("default-src")); Assert.AreEqual(true, csp.Contains("ws://")); }
public async Task invoke_httpsTest_websockets_localhostWithNoPort() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.Scheme = "https"; httpContext.Request.Host = new HostString("localhost"); var authMiddleware = new ContentSecurityPolicyMiddleware(next: (innerHttpContext) => Task.FromResult(0)); // Act await authMiddleware.Invoke(httpContext); //test var csp = httpContext.Response.Headers["Content-Security-Policy"].ToString(); Assert.AreEqual(true, csp.Contains("default-src")); Assert.AreEqual(true, csp.Contains("wss://localhost")); Assert.IsFalse(csp.Contains("wss://localhost:")); }