public void TryUpgradeInsecureRequest_CspDisabledAndHttpRequest_ReturnsFalse() { SetSecureConnection(false); var cspConfig = new CspConfiguration { Enabled = false, UpgradeInsecureRequestsDirective = { Enabled = true } }; var helper = new CspUpgradeInsecureRequestHelper(cspConfig); Assert.IsFalse(helper.TryUpgradeInsecureRequest(_context.Object)); Assert.AreEqual(200, _response.Object.StatusCode); }
public void TryUpgradeInsecureRequest_UpgradeEnabledWithPortAndUpgradableRequest_RedirectsAndReturnsTrue() { _response.Setup(r => r.AppendHeader(It.IsAny <string>(), It.IsAny <string>())); _response.Setup(r => r.Redirect(It.IsAny <string>(), false)); _response.Setup(r => r.End()); SetRequestUri("http://www.nwebsec.com"); SetSecureConnection(false); var cspConfig = new CspConfiguration { Enabled = true, UpgradeInsecureRequestsDirective = { Enabled = true, HttpsPort = 4321 } }; var helper = new CspUpgradeInsecureRequestHelper(cspConfig); Assert.IsTrue(helper.TryUpgradeInsecureRequest(_context.Object)); _response.Verify(r => r.AppendHeader("Vary", "Upgrade-Insecure-Requests"), Times.Once); _response.Verify(r => r.Redirect("https://www.nwebsec.com:4321/", false), Times.Once); _response.Verify(r => r.End(), Times.Once); Assert.AreEqual(307, _response.Object.StatusCode); }
void AppBeginRequest(object sender, EventArgs e) { var app = (HttpApplication)sender; var context = new HttpContextWrapper(app.Context); if (_cspUpgradeRequestHelper.UaSupportsUpgradeInsecureRequests(context.Request) && _cspUpgradeRequestHelper.TryUpgradeInsecureRequest(context)) { return; } _configHeaderSetter.SetSitewideHeadersFromConfig(context); if (!_cspReportHelper.IsRequestForBuiltInCspReportHandler(context.Request)) { return; } CspViolationReport cspReport; if (_cspReportHelper.TryGetCspReportFromRequest(context.Request, out cspReport)) { var eventArgs = new CspViolationReportEventArgs { ViolationReport = cspReport }; OnCspViolationReport(eventArgs); context.Response.StatusCode = 204; app.CompleteRequest(); } else { context.Response.StatusCode = 400; app.CompleteRequest(); } }