public void Empty_options_is_deny()
{
var builder = new XFrameOptionsOptionsBuilder();
var header = new XFrameOptionsHeader(builder.Build());
Assert.Equal("X-Frame-Options", header.Key);
Assert.Equal("deny", header.Value);
}
/// <summary>
/// Set an X-Frame-Options header on the HTTP response. Allows or denies this page from being shown in an
/// x-frame, i-frame, embed, or object tag. Eventually Content Security Policy's frame-ancestors will obsolete this.
/// </summary>
/// <param name="app">This IApplicationBuilder</param>
/// <param name="builder">A callback to configure header options.</param>
/// <returns>The ApplicationBuilder for chaining.</returns>
public static IApplicationBuilder UseXFrameOptions(this IApplicationBuilder app, Action <XFrameOptionsOptionsBuilder> builder)
{
builder.EnsureNotNull(nameof(builder));
var newBuilder = new XFrameOptionsOptionsBuilder();
builder(newBuilder);
var options = newBuilder.Build();
return(app.UseMiddleware <XFrameOptionsMiddleware>(options));
}
public void AllowFrom_option_is_allow_with_uri()
{
var builder = new XFrameOptionsOptionsBuilder();
builder.AllowFrom("https://some.uri");
var header = new XFrameOptionsHeader(builder.Build());
Assert.Equal("X-Frame-Options", header.Key);
Assert.Equal("allow-from https://some.uri", header.Value);
}
public void SameOrigin_option_is_sameorigin()
{
var builder = new XFrameOptionsOptionsBuilder();
builder.SameOrigin();
var header = new XFrameOptionsHeader(builder.Build());
Assert.Equal("X-Frame-Options", header.Key);
Assert.Equal("sameorigin", header.Value);
}
