public static void AddScriptCspHeaders(this HttpResponse response, CspOptions options, string hash) { var csp1part = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty; var cspHeader = $"default-src 'none'; script-src {csp1part}'{hash}'"; AddCspHeaders(response.Headers, options, cspHeader); }
private static void AddCspHeaders(IHeaderDictionary headers, CspOptions options, string cspHeader) { if (!headers.ContainsKey("Content-Security-Policy")) { headers.Add("Content-Security-Policy", cspHeader); } if (options.AddDeprecatedHeader && !headers.ContainsKey("X-Content-Security-Policy")) { headers.Add("X-Content-Security-Policy", cspHeader); } }
public static void AddStyleCspHeaders(this HttpResponse response, CspOptions options, string hash, string frameSources) { var csp1part = options.Level == CspLevel.One ? "'unsafe-inline' " : string.Empty; var cspHeader = $"default-src 'none'; style-src {csp1part}'{hash}'"; if (!string.IsNullOrEmpty(frameSources)) { cspHeader += $"; frame-src {frameSources}"; } AddCspHeaders(response.Headers, options, cspHeader); }