public CspConfiguration(bool initializeDirectives=true) { if (!initializeDirectives) { return; } DefaultSrcDirective = new CspDirectiveConfiguration(); ScriptSrcDirective = new CspDirectiveConfiguration(); ObjectSrcDirective = new CspDirectiveConfiguration(); StyleSrcDirective = new CspDirectiveConfiguration(); ImgSrcDirective = new CspDirectiveConfiguration(); MediaSrcDirective = new CspDirectiveConfiguration(); FrameSrcDirective = new CspDirectiveConfiguration(); FontSrcDirective = new CspDirectiveConfiguration(); ConnectSrcDirective = new CspDirectiveConfiguration(); BaseUriDirective = new CspDirectiveConfiguration(); ChildSrcDirective = new CspDirectiveConfiguration(); FormActionDirective = new CspDirectiveConfiguration(); FrameAncestorsDirective = new CspDirectiveConfiguration(); PluginTypesDirective = new CspPluginTypesDirectiveConfiguration(); SandboxDirective = new CspSandboxDirectiveConfiguration(); UpgradeInsecureRequestsDirective = new CspUpgradeDirectiveConfiguration(); ReportUriDirective = new CspReportUriDirectiveConfiguration(); }
public void GetCspScriptNonce_ScriptNonceRequestedAndOverrideWithoutNonce_SetsNonceOnOverride() { var overrideConfig = new CspOverrideConfiguration(); var overrideConfigReportOnly = new CspOverrideConfiguration(); var overrideCspDirective = new CspDirectiveConfiguration(); var overrideCspReportOnlyDirective = new CspDirectiveConfiguration(); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), false, false)).Returns(overrideConfig); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), true, false)).Returns(overrideConfigReportOnly); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, CspDirectives.ScriptSrc)).Returns(overrideCspDirective); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfigReportOnly, CspDirectives.ScriptSrc)).Returns(overrideCspReportOnlyDirective); var nonce = _cspConfigurationOverrideHelper.GetCspScriptNonce(MockContext); Assert.Equal(nonce, overrideCspDirective.Nonce); Assert.Equal(nonce, overrideCspReportOnlyDirective.Nonce); }
public void GetOverridenCspDirectiveConfig_NoneDisabledOverride_OverridesNoneAndKeepsOtherSources() { var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeInlineSrc = true, UnsafeEvalSrc = true, StrictDynamicSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = false }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.Equal(newConfig, directiveConfig, new CspDirectiveConfigurationEqualityComparer()); }
public ICspDirectiveConfiguration GetCspDirectiveConfigCloned(ICspConfiguration cspConfig, CspDirectives directive) { var oldDirective = GetCspDirectiveConfig(cspConfig, directive); if (oldDirective == null) { return(null); } var newConfig = new CspDirectiveConfiguration { Enabled = oldDirective.Enabled, NoneSrc = oldDirective.NoneSrc, SelfSrc = oldDirective.SelfSrc, UnsafeEvalSrc = oldDirective.UnsafeEvalSrc, UnsafeInlineSrc = oldDirective.UnsafeInlineSrc, Nonce = oldDirective.Nonce, CustomSources = oldDirective.CustomSources == null ? new List <string>(0) : oldDirective.CustomSources.ToList() }; return(newConfig); }
public void SetCspDirectiveOverride_HasOverride_OverridesExistingOverride(bool reportOnly, CspDirectives directive) { var overrideConfig = new CspOverrideConfiguration(); _contextHelper.Setup(h => h.GetCspConfigurationOverride(It.IsAny <HttpContext>(), reportOnly, false)).Returns(overrideConfig); //There's an override for directive var currentDirectiveOverride = new CspDirectiveConfiguration(); _directiveConfigMapper.Setup(m => m.GetCspDirectiveConfig(overrideConfig, directive)).Returns(currentDirectiveOverride); //We need an override and a result. var directiveOverride = new CspDirectiveOverride(); var directiveOverrideResult = new CspDirectiveConfiguration(); _directiveOverrideHelper.Setup(h => h.GetOverridenCspDirectiveConfig(directiveOverride, currentDirectiveOverride)).Returns(directiveOverrideResult); //This should be called at the very end _directiveConfigMapper.Setup(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult)); _cspConfigurationOverrideHelper.SetCspDirectiveOverride(MockContext, directive, directiveOverride, reportOnly); //Verify that the override result was set on the override config. _directiveConfigMapper.Verify(m => m.SetCspDirectiveConfig(overrideConfig, directive, directiveOverrideResult), Times.Once); }
public void GetCspDirectiveConfigCloned_Configured_ClonesDirective() { var directive = new CspDirectiveConfiguration { Enabled = false, NoneSrc = true, SelfSrc = true, UnsafeEvalSrc = true, UnsafeInlineSrc = false, CustomSources = new[] { "https://www.nwebsec.com", "www.klings.org" } }; var config = new CspConfiguration(false) { ScriptSrcDirective = directive }; var mapper = new CspConfigMapper(); var clone = mapper.GetCspDirectiveConfigCloned(config, CspDirectives.ScriptSrc); Assert.AreNotSame(directive, clone); Assert.That(clone, Is.EqualTo(directive).Using(new CspDirectiveConfigurationComparer())); }
public void GetOverridenCspDirectiveConfig_NoneEnabledOverride_OverridesNoneAndDropsOtherSources() { //Overriding with 'none' should clear all other sources. var directiveConfig = new CspDirectiveConfiguration { NoneSrc = false, SelfSrc = true, Nonce = "hei", UnsafeEvalSrc = true, UnsafeInlineSrc = true, CustomSources = new[] { "nwebsec.com" } }; var directiveOverride = new CspDirectiveOverride { None = true }; var expectedConfig = new CspDirectiveConfiguration { NoneSrc = true }; var newConfig = _overrideHelper.GetOverridenCspDirectiveConfig(directiveOverride, directiveConfig); Assert.That(newConfig, Is.EqualTo(expectedConfig).Using(new CspDirectiveConfigurationComparer())); }
public CspConfiguration(bool initializeDirectives = true) { if (!initializeDirectives) { return; } DefaultSrcDirective = new CspDirectiveConfiguration(); ScriptSrcDirective = new CspDirectiveConfiguration(); ObjectSrcDirective = new CspDirectiveConfiguration(); StyleSrcDirective = new CspDirectiveConfiguration(); ImgSrcDirective = new CspDirectiveConfiguration(); MediaSrcDirective = new CspDirectiveConfiguration(); FrameSrcDirective = new CspDirectiveConfiguration(); FontSrcDirective = new CspDirectiveConfiguration(); ConnectSrcDirective = new CspDirectiveConfiguration(); BaseUriDirective = new CspDirectiveConfiguration(); ChildSrcDirective = new CspDirectiveConfiguration(); FormActionDirective = new CspDirectiveConfiguration(); FrameAncestorsDirective = new CspDirectiveConfiguration(); PluginTypesDirective = new CspPluginTypesDirectiveConfiguration(); SandboxDirective = new CspSandboxDirectiveConfiguration(); ReportUriDirective = new CspReportUriDirectiveConfiguration(); }