public void Empty_options_is_deny() { var builder = new XFrameOptionsOptionsBuilder(); var header = new XFrameOptionsHeader(builder.Build()); Assert.Equal("X-Frame-Options", header.Key); Assert.Equal("deny", header.Value); }
/// <summary> /// Set an X-Frame-Options header on the HTTP response. Allows or denies this page from being shown in an /// x-frame, i-frame, embed, or object tag. Eventually Content Security Policy's frame-ancestors will obsolete this. /// </summary> /// <param name="app">This IApplicationBuilder</param> /// <param name="builder">A callback to configure header options.</param> /// <returns>The ApplicationBuilder for chaining.</returns> public static IApplicationBuilder UseXFrameOptions(this IApplicationBuilder app, Action <XFrameOptionsOptionsBuilder> builder) { builder.EnsureNotNull(nameof(builder)); var newBuilder = new XFrameOptionsOptionsBuilder(); builder(newBuilder); var options = newBuilder.Build(); return(app.UseMiddleware <XFrameOptionsMiddleware>(options)); }
public void AllowFrom_option_is_allow_with_uri() { var builder = new XFrameOptionsOptionsBuilder(); builder.AllowFrom("https://some.uri"); var header = new XFrameOptionsHeader(builder.Build()); Assert.Equal("X-Frame-Options", header.Key); Assert.Equal("allow-from https://some.uri", header.Value); }
public void SameOrigin_option_is_sameorigin() { var builder = new XFrameOptionsOptionsBuilder(); builder.SameOrigin(); var header = new XFrameOptionsHeader(builder.Build()); Assert.Equal("X-Frame-Options", header.Key); Assert.Equal("sameorigin", header.Value); }