public async Task ContentSecurityPolicyMiddlewareTest_invoke_otherTypes()
{
// Arrange
var httpContext = new DefaultHttpContext();
httpContext.Request.Scheme = "http";
var authMiddleware = new ContentSecurityPolicyMiddleware((innerHttpContext) => Task.FromResult(0));
// Act
await authMiddleware.Invoke(httpContext);
// test
var referrerPolicy = httpContext.Response.Headers["Referrer-Policy"].ToString();
Assert.AreEqual("no-referrer", referrerPolicy);
var frameOptions = httpContext.Response.Headers["X-Frame-Options"].ToString();
Assert.AreEqual("DENY", frameOptions);
// X-Xss-Protection
var xssProtection = httpContext.Response.Headers["X-Xss-Protection"].ToString();
Assert.AreEqual("1; mode=block", xssProtection);
// X-Content-Type-Options
var contentTypeOptions = httpContext.Response.Headers["X-Content-Type-Options"].ToString();
Assert.AreEqual("nosniff", contentTypeOptions);
}
public void ContentSecurityPolicyMiddleware_adds_CrazyEgg()
{
var context = new DefaultHttpContext();
context.Response.ContentType = "text/html";
var environment = new Mock <IHostingEnvironment>();
ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>());
Assert.Contains("https://*.crazyegg.com", context.Response.Headers["Content-Security-Policy"].ToString());
}
public void ContentSecurityPolicyMiddleware_adds_EastSussexGovUK_defaults()
{
var context = new DefaultHttpContext();
context.Response.ContentType = "text/html";
var environment = new Mock <IHostingEnvironment>();
ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>());
Assert.Contains("https://www.eastsussex.gov.uk", context.Response.Headers["Content-Security-Policy"].ToString());
}
public void ContentSecurityPolicyMiddleware_does_not_add_header_to_text_response()
{
var context = new DefaultHttpContext();
context.Response.ContentType = "text/plain";
var environment = new Mock <IHostingEnvironment>();
ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>());
Assert.False(context.Response.Headers.TryGetValue("Content-Security-Policy", out var someHeader));
}
public void ContentSecurityPolicyMiddleware_adds_policy_from_startup()
{
var context = new DefaultHttpContext();
context.Response.ContentType = "text/html";
var environment = new Mock <IHostingEnvironment>();
var policyFromStartup = new CspOptions().AddYouTube();
ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, policyFromStartup, new List <ContentSecurityPolicyDependency>());
Assert.Contains("https://www.youtube-nocookie.com", context.Response.Headers["Content-Security-Policy"].ToString());
}
public void ContentSecurityPolicyMiddleware_excludes_localhost_in_production()
{
var context = new DefaultHttpContext();
context.Response.ContentType = "text/html";
var environment = new Mock <IHostingEnvironment>();
environment.Setup(x => x.EnvironmentName).Returns(EnvironmentName.Production);
ContentSecurityPolicyMiddleware.AddHeader(context, environment.Object, new CspOptions(), new List <ContentSecurityPolicyDependency>());
Assert.DoesNotContain("https://localhost", context.Response.Headers["Content-Security-Policy"].ToString());
}
public async Task ContentSecurityPolicyMiddlewareTest_invoke_testContent()
{
// Arrange
var httpContext = new DefaultHttpContext();
httpContext.Request.Scheme = "http";
var authMiddleware = new ContentSecurityPolicyMiddleware(next: (innerHttpContext) => Task.FromResult(0));
// Act
await authMiddleware.Invoke(httpContext);
//test
var csp = httpContext.Response.Headers["Content-Security-Policy"].ToString();
Assert.AreEqual(true, csp.Contains("default-src"));
Assert.AreEqual(true, csp.Contains("ws://"));
}
public async Task invoke_httpsTest_websockets_localhostWithNoPort()
{
// Arrange
var httpContext = new DefaultHttpContext();
httpContext.Request.Scheme = "https";
httpContext.Request.Host = new HostString("localhost");
var authMiddleware = new ContentSecurityPolicyMiddleware(next: (innerHttpContext) => Task.FromResult(0));
// Act
await authMiddleware.Invoke(httpContext);
//test
var csp = httpContext.Response.Headers["Content-Security-Policy"].ToString();
Assert.AreEqual(true, csp.Contains("default-src"));
Assert.AreEqual(true, csp.Contains("wss://localhost"));
Assert.IsFalse(csp.Contains("wss://localhost:"));
}
