public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsTrue()
{
var builder = new CspBuilder();
builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com");
builder.AddWorkerSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com");
builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com");
builder.AddUpgradeInsecureRequests();
builder.AddBlockAllMixedContent();
// add nonce
builder.AddScriptSrc().WithNonce();
var result = builder.Build();
result.HasPerRequestValues.Should().BeTrue();
}
public void Build_AddSrciptSrc_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("script-src 'self' blob: data: http://testUrl.com");
}
public void Build_AddSrciptSrc_WhenAddsInsecureValues_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.UnsafeEval()
.UnsafeInline()
.StrictDynamic()
.ReportSample()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'report-sample' http://testUrl.com");
}
public void Build_AddSrciptSrc_WhenAddsNonce_HasPerRequestValuesReturnsTrue()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.UnsafeEval()
.UnsafeInline()
.StrictDynamic()
.ReportSample()
.WithNonce()
.From("http://testUrl.com");
var result = builder.Build();
result.HasPerRequestValues.Should().BeTrue();
}
public void Builder_WhenUsingNonce_AddsNonceToCSP()
{
var builder = new CspBuilder();
builder.AddScriptSrc().WithNonce();
builder.AddStyleSrc().WithNonce();
builder.AddCustomDirectiveBuilder("test-directive").WithNonce();
var result = builder.Build();
var httpContext = new DefaultHttpContext();
var nonce = "ABC123";
httpContext.SetNonce(nonce);
var csp = result.Builder(httpContext);
csp.Should().Be($"script-src 'nonce-{nonce}'; style-src 'nonce-{nonce}'; test-directive 'nonce-{nonce}'");
}
public void Build_AddSrciptSrc_WhenDoesntAddNonce_BuilderThrowsInvalidOperation()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.UnsafeEval()
.UnsafeInline()
.StrictDynamic()
.ReportSample()
.From("http://testUrl.com");
var result = builder.Build();
result.Invoking(x =>
{
var val = x.Builder;
})
.ShouldThrow <InvalidOperationException>();
}
public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsFalse()
{
var builder = new CspBuilder();
builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com");
builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddScriptSrc().Self().UnsafeEval().UnsafeInline().StrictDynamic().ReportSample().From("http://testUrl.com");
builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com");
builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com");
builder.AddUpgradeInsecureRequests();
builder.AddBlockAllMixedContent();
var result = builder.Build();
result.HasPerRequestValues.Should().BeFalse();
}