private string GenerateSourcePolicy(IContentSecurityPolicySource csp) { string source = String.Empty; if (csp != null) { var policyOptions = GeneratePolicyOptions(csp.Options); if (String.IsNullOrEmpty(policyOptions.Trim()) && String.IsNullOrEmpty(csp.Hostnames.Trim())) { return(source); } source += String.Concat(csp.Name, " "); source += GeneratePolicyOptions(csp.Options); if (!csp.Options.None) { source += csp.Hostnames; } if (String.IsNullOrEmpty(source)) { return(String.Empty); } source += ";"; } return(source); }
private IContentSecurityPolicySource GetSourceSettings <TContentSecurityPolicySource>() where TContentSecurityPolicySource : class, IContentSecurityPolicySource, new() { IContentSecurityPolicySource source = null; source = new TContentSecurityPolicySource(); //foreach (var option in options) // { // switch (option.Name) // { // case "None": // source.Options.None = true; // return source; // case "All": // source.Options.All = true; // break; // case "Self": // source.Options.Self = true; // break; // case "Data": // source.Options.Data = true; // break; // case "Unsafe Inline": // source.Options.UnsafeInline = true; // break; // case "Unsafe Eval": // source.Options.UnsafeEval = true; // break; // default: // break; // } //} return(source); }
public ContentSecurityPolicySource(IContentSecurityPolicySource source) { if (source != null) { this.Options = source.Options; this.Hostnames = source.Hostnames; } }
private IContentSecurityPolicySource GetSourceSettings <TContentSecurityPolicySource>(Item csp, string optionsFieldname, string hostnameFieldname) where TContentSecurityPolicySource : class, IContentSecurityPolicySource, new() { IContentSecurityPolicySource source = null; if (csp != null && csp.Fields[optionsFieldname] != null) { source = new TContentSecurityPolicySource(); var optionsField = csp.Fields[optionsFieldname]; var listField = (MultilistField)optionsField; var options = listField.GetItems(); foreach (var option in options) { switch (option.Name) { case "None": source.Options.None = true; return(source); case "All": source.Options.All = true; break; case "Self": source.Options.Self = true; break; case "Data": source.Options.Data = true; break; case "Unsafe Inline": source.Options.UnsafeInline = true; break; case "Unsafe Eval": source.Options.UnsafeEval = true; break; default: Log.Warn(String.Format("Content Security Policy returned unrecognized value: {0}", option.Name), this); break; } } var hostnames = String.Empty; if (optionsField != null) { if (csp.Fields[hostnameFieldname] != null) { hostnames = csp.Fields[hostnameFieldname].Value; } } source.Hostnames = hostnames; } return(source); }
private void CreateXFrameOptionsHeaderBasedOnPolicySource(IContentSecurityPolicySource source, HttpRequestArgs args) { if (source.Options.None) { args.Context.Response.Headers.Add(XFrameOptionsHeader, "DENY"); } else if (source.Options.Self) { args.Context.Response.Headers.Add(XFrameOptionsHeader, "SameOrigin"); } else if (String.IsNullOrEmpty(source.Hostnames)) { args.Context.Response.Headers.Add(XFrameOptionsHeader, $"Allow-FROM {source.Hostnames}"); } }