public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsTrue() { var builder = new CspBuilder(); builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com"); builder.AddWorkerSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com"); builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com"); builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com"); builder.AddUpgradeInsecureRequests(); builder.AddBlockAllMixedContent(); // add nonce builder.AddScriptSrc().WithNonce(); var result = builder.Build(); result.HasPerRequestValues.Should().BeTrue(); }
public void Build_WhenNoValues_ReturnsNull() { var builder = new CspBuilder(); var result = builder.Build(); result.Should().BeNullOrEmpty(); }
public void Build_WhenNoValues_HasPerRequestValuesReturnsFalse() { var builder = new CspBuilder(); var result = builder.Build(); result.HasPerRequestValues.Should().BeFalse(); }
public void SetBlockAllMixedContent_SetsBlockAllMixedContentToTrue() { var builder = new CspBuilder(); builder.SetBlockAllMixedContent(); CspOptions options = builder.BuildCspOptions(); Assert.True(options.BlockAllMixedContent); }
public void SetUpgradeInsecureRequests_SetsUpgradeInsecureRequestsToTrue() { var builder = new CspBuilder(); builder.SetUpgradeInsecureRequests(); CspOptions options = builder.BuildCspOptions(); Assert.True(options.UpgradeInsecureRequests); }
public void SetReportOnly_SetsReportOnlyToTrue() { var builder = new CspBuilder(); builder.SetReportOnly(); CspOptions options = builder.BuildCspOptions(); Assert.True(options.ReportOnly); }
public void EnableSandbox_EnablesTheSandbox() { var builder = new CspBuilder(); builder.EnableSandbox(); CspOptions options = builder.BuildCspOptions(); Assert.True(options.EnableSandbox); }
public void ReportViolationsTo_SetsTheReportUri() { var builder = new CspBuilder(); builder.ReportViolationsTo("/somewhere"); CspOptions options = builder.BuildCspOptions(); Assert.Equal("/somewhere", options.ReportUri); }
public void Build_AddUpgradeInsecureRequests_AddsValue() { var builder = new CspBuilder() .AddUpgradeInsecureRequests(); var result = builder.Build(); result.Should().Be("upgrade-insecure-requests"); }
public void Build_AddBlockAllMixedContent_AddsValue() { var builder = new CspBuilder() .AddBlockAllMixedContent(); var result = builder.Build(); result.Should().Be("block-all-mixed-content"); }
public void IncludeXHeader_SetsIncludeXHeaderToTrue() { var builder = new CspBuilder(); builder.IncludeXHeader(); CspOptions options = builder.BuildCspOptions(); Assert.True(options.IncludeXHeader); }
/// <summary> /// Adds a Content Security Policy header /// to the response. /// </summary> /// <param name="app">The <see cref="IApplicationBuilder"/></param> /// <param name="builderAction">Configuration action for the header.</param> /// <returns>The <see cref="IApplicationBuilder"/></returns> public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action <CspBuilder> builderAction) { var builder = new CspBuilder(); builderAction(builder); CspOptions options = builder.BuildCspOptions(); return(app.UseMiddleware <CspMiddleware>(new OptionsWrapper <CspOptions>(options))); }
public void Build_ReportUri_AddsValue() { var builder = new CspBuilder() .AddReportUri() .To("http://testUrl.com"); var result = builder.Build(); result.Should().Be("report-uri http://testUrl.com"); }
public void WithPrefetch_ReturnsCorrectHeader() { var builder = new CspBuilder(); builder.AllowPrefetch.From("https://www.google.com"); var headerValue = builder.BuildCspOptions().ToString(null).headerValue; Assert.Equal("prefetch-src https://www.google.com", headerValue); }
public void RequireSriFor_ReturnsCorrectHeader() { var builder = new CspBuilder(); builder.RequireSri.ForScripts(); var headerValue = builder.BuildCspOptions().ToString(null).headerValue; Assert.Equal("require-sri-for script", headerValue); }
public void WithFramesAndWorkers_ReturnsCorrectHeader() { var builder = new CspBuilder(); builder.AllowFrames.From("https://www.google.com"); builder.AllowWorkers.FromSelf().OnlyOverHttps(); var headerValue = builder.BuildCspOptions().ToString(null).headerValue; Assert.Equal("frame-src https://www.google.com;worker-src 'self' https:", headerValue); }
public void Build_CustomDirective_AddsValues() { var builder = new CspBuilder(); builder.AddCustomDirective("report-to"); builder.AddCustomDirective("plugin-types", "application/x-shockwave-flash"); var result = builder.Build(); result.Should().Be("report-to; plugin-types application/x-shockwave-flash"); }
public void Build_AddingTheSameDirectiveTwice_OverwritesThePreviousCopy() { var builder = new CspBuilder(); builder.AddDefaultSrc().Self(); builder.AddDefaultSrc().None(); var result = builder.Build(); result.Should().Be("default-src 'none'"); }
/// <summary> /// Configure a content security policy /// </summary> /// <param name="configure">Configure the CSP</param> /// <param name="asReportOnly">If true, the header is added as report only</param> /// <returns>The configured <see cref="ContentSecurityPolicyHeader "/></returns> public static ContentSecurityPolicyHeader Build(Action <CspBuilder> configure, bool asReportOnly) { var builder = new CspBuilder(); configure(builder); var cspResult = builder.Build(); return(cspResult.HasPerRequestValues ? new ContentSecurityPolicyHeader(cspResult.Builder, asReportOnly) : new ContentSecurityPolicyHeader(cspResult.ConstantValue, asReportOnly)); }
/// <summary> /// Adds just the basic Csp /// </summary> /// <param name="csp"></param> /// <param name="reportUri"></param> /// <returns></returns> public static CspBuilder AddDefaultCsp(this CspBuilder csp, string reportUri) { if (!string.IsNullOrWhiteSpace(reportUri)) { csp.AddReportUri().To(reportUri); } csp.AddBlockAllMixedContent(); csp.AddDefaultSrc().Self(); csp.AddFontSrc().Self().Data(); csp.AddStyleSrc().Self().UnsafeInline(); return(csp); }
public void Build_AddFormAction_WhenAddsMultipleValue_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddFormAction() .Self() .Blob() .Data() .From("http://testUrl.com"); var result = builder.Build(); result.Should().Be("form-action 'self' blob: data: http://testUrl.com"); }
public void Build_AddObjectSrc_WhenAddsMultipleValue_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddObjectSrc() .Self() .Blob() .Data() .From("http://testUrl.com"); var result = builder.Build(); result.Should().Be("object-src 'self' blob: data: http://testUrl.com"); }
public void Build_AddBaseUri_WhenAddsMultipleValue_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddBaseUri() .Self() .Blob() .Data() .From("http://testUrl.com"); var result = builder.Build(); result.Should().Be("base-uri 'self' blob: data: http://testUrl.com"); }
public void Build_AddFrameAncestors_WhenAddsMultipleValue_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddFrameAncestors() .Self() .Blob() .Data() .From("http://testUrl.com"); var result = builder.Build(); result.Should().Be("frame-ancestors 'self' blob: data: http://testUrl.com"); }
public void Build_AddDefaultSrc_WhenAddsMultipleValueEnumerable_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddDefaultSrc() .Self() .Blob() .Data() .From(new [] { "http://testUrl.com", "http://testUrl2.com" }); var result = builder.Build(); result.ConstantValue.Should().Be("default-src 'self' blob: data: http://testUrl.com http://testUrl2.com"); }
public async Task OnSendingHeader_ShouldNotSendTest() { var builder = new CspBuilder(); builder.OnSendingHeader = context => { context.ShouldNotSend = true; return(Task.CompletedTask); }; var sendingHeaderContext = new CspSendingHeaderContext(null); await builder.BuildCspOptions().OnSendingHeader(sendingHeaderContext); Assert.True(sendingHeaderContext.ShouldNotSend); }
public void Build_AddDefaultSrc_WhenIncludesNone_OnlyWritesNone() { var builder = new CspBuilder(); builder.AddDefaultSrc() .Self() .Blob() .Data() .From("http://testUrl.com") .None(); var result = builder.Build(); result.Should().Be("default-src 'none'"); }
public void Build_AddStyleSrc_WhenAddsMultipleValue_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddStyleSrc() .Self() .ReportSample() .Blob() .Data() .From("http://testUrl.com"); var result = builder.Build(); result.ConstantValue.Should().Be("style-src 'self' 'report-sample' blob: data: http://testUrl.com"); }
public void Build_AddSrciptSrc_WhenAddsInsecureValues_ReturnsAllValues() { var builder = new CspBuilder(); builder.AddScriptSrc() .Self() .UnsafeEval() .UnsafeInline() .StrictDynamic() .ReportSample() .From("http://testUrl.com"); var result = builder.Build(); result.Should().Be("script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'report-sample' http://testUrl.com"); }
public void Build_AddSrciptSrc_WhenAddsNonce_HasPerRequestValuesReturnsTrue() { var builder = new CspBuilder(); builder.AddScriptSrc() .Self() .UnsafeEval() .UnsafeInline() .StrictDynamic() .ReportSample() .WithNonce() .From("http://testUrl.com"); var result = builder.Build(); result.HasPerRequestValues.Should().BeTrue(); }