public void UrlIsExcluded()
        {
            var excludedUrls = new Uri[]
            {
                new Uri("/example/excluded.html", UriKind.Relative)
            };

            var filter = new ContentSecurityPolicyUrlFilter(new Uri("https://www.example.org/example/excluded.html"), excludedUrls);

            Assert.IsFalse(filter.ApplyPolicy());
        }
        private void Show404(Uri requestedUrl)
        {
            // Return the correct HTTP status code
            new Web.HttpStatus().NotFound();

            // Set the page title
            Page.Title = "Page not found";

            var skinnable = Master as BaseMasterPage;

            if (skinnable != null)
            {
                skinnable.Skin = new CustomerFocusSkin();
            }

            var nonce  = Guid.NewGuid().ToString().Replace("-", String.Empty);
            var config = new ContentSecurityPolicyFromConfig();
            var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude);

            if (filter.ApplyPolicy() && !Response.HeadersWritten)
            {
                new ContentSecurityPolicyHeaders(Response.Headers).AppendPolicy($"script-src 'nonce-{nonce}'").UpdateHeaders();
            }

            // Configure the tracking script and track the 404 with Google Analytics
            script.TagName = "script";
            script.Attributes.Add("nonce", nonce);

            if (requestedUrl != null)
            {
                script.Attributes.Add("data-request", Server.HtmlEncode(Regex.Replace(requestedUrl.PathAndQuery, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty)));
            }

            var normalisedReferrer = String.Empty;

            try
            {
                if (Request.UrlReferrer != null)
                {
                    normalisedReferrer = Request.UrlReferrer.ToString().Replace("'", "\'");
                }
            }
            catch (UriFormatException)
            {
                // Catch this error and simply ignore the referrer if it is an invalid URI, which can happen in a hacking scenario.
                // For example, if the request contains an invalid referring URL such as http://google.com', when you access the
                // Request.UrlReferrer property .NET creates a Uri instance which throws this exception.
            }

            script.Attributes.Add("data-referrer", Server.HtmlEncode(Regex.Replace(normalisedReferrer, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty)));
        }
Exemplo n.º 3
0
        /// <summary>
        /// Handles the Load event of the Page control.
        /// </summary>
        /// <param name="sender">The source of the event.</param>
        /// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
        protected void Page_Load(object sender, EventArgs e)
        {
            // Common headers for all master pages: Force IE to use latest rendering engine or Chrome Frame
            Response.AddHeader("X-UA-Compatible", "IE=edge,chrome=1");

            // Google recommends specifying this to ensure proxy caches don't serve our mobile template to desktop users
            // ...but it doesn't work as ASP.NET ignores it. Also gzip uses Vary: Accept-encoding.
            // https://developers.google.com/webmasters/smartphone-sites/details
            // Response.AddHeader("Vary", "User-Agent");

            // In rare circumstances Azure can return a value for Request.Url.Authority which is not correct. Since
            // Request.Url.Authority is used to load client-side assets, ensure it is always allowed by the content security policy.
            var config = new ContentSecurityPolicyFromConfig();
            var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude);

            if (filter.ApplyPolicy() && !Response.HeadersWritten)
            {
                new ContentSecurityPolicyHeaders(Response.Headers)
                .AppendPolicy($"script-src {Request.Url.GetLeftPart(UriPartial.Authority)}; style-src {Request.Url.GetLeftPart(UriPartial.Authority)}; img-src {Request.Url.GetLeftPart(UriPartial.Authority)}")
                .UpdateHeaders();
            }
        }
Exemplo n.º 4
0
        private void AddClientDependencies(IClientDependencySet dependencySet)
        {
            foreach (var cssFileDependency in dependencySet.RequiresCss())
            {
                if (String.IsNullOrEmpty(cssFileDependency.MediaQueryAlias))
                {
                    skinSmall.FileList.Add(cssFileDependency.CssFileAlias);
                }
                if (cssFileDependency.MediaQueryAlias == skinMedium.MediaConfiguration)
                {
                    skinMedium.FileList.Add(cssFileDependency.CssFileAlias);
                }
                if (cssFileDependency.MediaQueryAlias == skinLarge.MediaConfiguration)
                {
                    skinLarge.FileList.Add(cssFileDependency.CssFileAlias);
                }
            }

            foreach (var scriptDependency in dependencySet.RequiresJavaScript())
            {
                skinScript.FileList.Add(scriptDependency.JsFileAlias);
            }

            var cspConfig = new ContentSecurityPolicyFromConfig();
            var filter    = new ContentSecurityPolicyUrlFilter(Request.Url, cspConfig.UrlsToExclude);

            if (filter.ApplyPolicy() && !Response.HeadersWritten)
            {
                var csp = new ContentSecurityPolicyHeaders(Response.Headers);
                foreach (var contentSecurityPolicy in dependencySet.RequiresContentSecurityPolicy())
                {
                    csp.AppendPolicy(cspConfig.Policies[contentSecurityPolicy.Alias]);
                }
                csp.UpdateHeaders();
            }
        }