private string GenerateSourcePolicy(IContentSecurityPolicySource csp)
{
string source = String.Empty;
if (csp != null)
{
var policyOptions = GeneratePolicyOptions(csp.Options);
if (String.IsNullOrEmpty(policyOptions.Trim()) && String.IsNullOrEmpty(csp.Hostnames.Trim()))
{
return(source);
}
source += String.Concat(csp.Name, " ");
source += GeneratePolicyOptions(csp.Options);
if (!csp.Options.None)
{
source += csp.Hostnames;
}
if (String.IsNullOrEmpty(source))
{
return(String.Empty);
}
source += ";";
}
return(source);
}
private IContentSecurityPolicySource GetSourceSettings <TContentSecurityPolicySource>() where TContentSecurityPolicySource : class, IContentSecurityPolicySource, new()
{
IContentSecurityPolicySource source = null;
source = new TContentSecurityPolicySource();
//foreach (var option in options)
// {
// switch (option.Name)
// {
// case "None":
// source.Options.None = true;
// return source;
// case "All":
// source.Options.All = true;
// break;
// case "Self":
// source.Options.Self = true;
// break;
// case "Data":
// source.Options.Data = true;
// break;
// case "Unsafe Inline":
// source.Options.UnsafeInline = true;
// break;
// case "Unsafe Eval":
// source.Options.UnsafeEval = true;
// break;
// default:
// break;
// }
//}
return(source);
}
public ContentSecurityPolicySource(IContentSecurityPolicySource source)
{
if (source != null)
{
this.Options = source.Options;
this.Hostnames = source.Hostnames;
}
}
private IContentSecurityPolicySource GetSourceSettings <TContentSecurityPolicySource>(Item csp, string optionsFieldname, string hostnameFieldname) where TContentSecurityPolicySource : class, IContentSecurityPolicySource, new()
{
IContentSecurityPolicySource source = null;
if (csp != null && csp.Fields[optionsFieldname] != null)
{
source = new TContentSecurityPolicySource();
var optionsField = csp.Fields[optionsFieldname];
var listField = (MultilistField)optionsField;
var options = listField.GetItems();
foreach (var option in options)
{
switch (option.Name)
{
case "None":
source.Options.None = true;
return(source);
case "All":
source.Options.All = true;
break;
case "Self":
source.Options.Self = true;
break;
case "Data":
source.Options.Data = true;
break;
case "Unsafe Inline":
source.Options.UnsafeInline = true;
break;
case "Unsafe Eval":
source.Options.UnsafeEval = true;
break;
default:
Log.Warn(String.Format("Content Security Policy returned unrecognized value: {0}", option.Name), this);
break;
}
}
var hostnames = String.Empty;
if (optionsField != null)
{
if (csp.Fields[hostnameFieldname] != null)
{
hostnames = csp.Fields[hostnameFieldname].Value;
}
}
source.Hostnames = hostnames;
}
return(source);
}
private void CreateXFrameOptionsHeaderBasedOnPolicySource(IContentSecurityPolicySource source, HttpRequestArgs args)
{
if (source.Options.None)
{
args.Context.Response.Headers.Add(XFrameOptionsHeader, "DENY");
}
else if (source.Options.Self)
{
args.Context.Response.Headers.Add(XFrameOptionsHeader, "SameOrigin");
}
else if (String.IsNullOrEmpty(source.Hostnames))
{
args.Context.Response.Headers.Add(XFrameOptionsHeader, $"Allow-FROM {source.Hostnames}");
}
}
