public void Empty_options_builds_correct_header()
{
var builder = new CspOptionsBuilder("mynonce=");
var header = new CspHeader(builder.Build());
Assert.Equal("Content-Security-Policy", header.Key);
Assert.Empty(header.Value);
builder.ReportOnly();
header = new CspHeader(builder.Build());
Assert.Equal("Content-Security-Policy-Report-Only", header.Key);
}
/// <summary>
/// Adds middleware for using CSP, which adds the Content-Security-Policy header.
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/> instance this method extends.</param>
/// <param name="builderAction">A delegate used for setting up the <see cref="CspOptionsBuilder"/>.</param>
/// <returns></returns>
public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action <CspOptionsBuilder> builderAction)
{
CspOptionsBuilder builder = new CspOptionsBuilder();
builderAction(builder);
CspOptions options = builder.Build();
return(app.UseMiddleware <CspMiddleware>(options));
}
public static IApplicationBuilder UseCsp(
this IApplicationBuilder app, Action <CspOptionsBuilder> builder)
{
var newBuilder = new CspOptionsBuilder();
builder(newBuilder);
var options = newBuilder.Build();
return(app.UseMiddleware <CspOptionMiddlerWare>(options));
}
public void Invoked_StringAdded()
{
//Arrange
CspOptionsBuilder builder = new CspOptionsBuilder();
//Act
builder.UpgradeInsecureRequests();
//Assert
CspOptions options = builder.Build();
Assert.Equal("upgrade-insecure-requests", options.Content);
}
public void Invoked_StringAdded()
{
//Arrange
CspOptionsBuilder builder = new CspOptionsBuilder();
//Act
builder.BlockAllMixedContent();
//Assert
CspOptions options = builder.Build();
Assert.Equal("block-all-mixed-content", options.Content);
}
public void ReportOnly_with_uri_options_builds_correct_header()
{
var builder = new CspOptionsBuilder("mynonce=");
builder.ReportOnly("https://some.uri");
builder.ScriptSources
.AllowUnsafeEval();
var header = new CspHeader(builder.Build());
Assert.Equal("Content-Security-Policy-Report-Only", header.Key);
Assert.Contains("script-src 'unsafe-eval';", header.Value);
Assert.Contains("report-uri https://some.uri;", header.Value);
}
public void SomeBuildersReturnedDirectives_AllDirectivesIncluded()
{
//Arrange
CspOptionsBuilder builder = new CspOptionsBuilder();
//Act
builder.ConnectSources.AllowSelf();
builder.ScriptSources.AllowHosts("https://example.com");
builder.Sandbox.AllowModals();
//Assert
CspOptions result = builder.Build();
Assert.Equal("connect-src 'self'; script-src https://example.com; sandbox allow-modals", result.Content);
}
/// <summary>
/// Invoke the middleware.
/// </summary>
/// <param name="context">The current HttpContext</param>
public Task Invoke(HttpContext context)
{
context.EnsureNotNull(nameof(context));
var nonce = _nonceGenerator.GetNonce();
context.SetNonce(nonce);
var builder = new CspOptionsBuilder(nonce);
_configure(builder);
var options = builder.Build();
var header = new CspHeader(options);
context.Response.Headers.Add(header.Key, header.Value);
return(_next(context));
}
public void Invoked_AddedToOptions()
{
//Arrange
CspOptionsBuilder builder = new CspOptionsBuilder();
//Act
builder.AddReportingGroup(reportingOptions => {
reportingOptions.Group = "groupname";
reportingOptions.Endpoints.Add(new ReportGroupEndpoint("https://example.com/route"));
});
//Assert
CspOptions options = builder.Build();
Assert.Equal("report-to groupname", options.Content);
Assert.Equal("groupname", options.ReportingGroup.Group);
Assert.Equal(1, options.ReportingGroup.Endpoints.Count);
Assert.Equal("https://example.com/route", options.ReportingGroup.Endpoints[0].Url);
}
public void All_options_builds_correct_header()
{
var builder = new CspOptionsBuilder("mynonce=");
builder.FrameAncestors
.AllowNone();
builder.BaseUri
.AllowSelf();
builder.DefaultSources
.AllowSelf()
.AllowNonce();
builder.FontSources
.AllowAny();
builder.ImageSources
.AllowNonce("customnonce=");
builder.MediaSources
.AllowNone();
builder.ObjectSources
.AllowNone();
builder.ScriptSources
.AllowUnsafeEval();
builder.StyleSources
.AllowUnsafeInline()
.Allow("data:");
builder.Custom("customDirective")
.ForSources("mynonce=")
.AllowHash("sha256", "hash1")
.AllowHash("sha256", "hash2")
.AllowNonce();
builder.SetReportUri("https://some.uri");
var header = new CspHeader(builder.Build());
Assert.Equal("Content-Security-Policy", header.Key);
Assert.Contains("default-src 'self' 'nonce-mynonce=';", header.Value);
Assert.Contains("object-src 'none';", header.Value);
Assert.Contains("frame-ancestors 'none';", header.Value);
Assert.Contains("base-uri 'self';", header.Value);
Assert.Contains("customDirective 'sha256-hash1' 'sha256-hash2' 'nonce-mynonce=';", header.Value);
Assert.Contains("font-src *;", header.Value);
Assert.Contains("img-src 'nonce-customnonce=';", header.Value);
Assert.Contains("media-src 'none';", header.Value);
Assert.Contains("script-src 'unsafe-eval';", header.Value);
Assert.Contains("style-src 'unsafe-inline' data:;", header.Value);
Assert.Contains("report-uri https://some.uri;", header.Value);
builder.ReportOnly();
header = new CspHeader(builder.Build());
Assert.Equal("Content-Security-Policy-Report-Only", header.Key);
}