public HttpHeaderSecurityModule() { _cspReportHelper = new CspReportHelper(); _configHeaderSetter = new ConfigurationHeaderSetter(); _handlerTypeHelper = new HandlerTypeHelper(); _redirectValidationHelper = new RedirectValidationHelper(); }
public void GetCspReportFromRequest_FromChrome_ReadsCspReportFromRequest() { var helper = new CspReportHelper(); var mockRequest = new Mock <HttpRequestBase>(); const string cspReport = "{\"csp-report\":{\"document-uri\":\"http://localhost/NWebsecMvc3\",\"violated-directive\":\"script-src 'none'\",\"original-policy\":\"script-src 'none'; report-uri /NWebsecMvc3/WebResource.axd?cspReport=true\",\"blocked-uri\":\"http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js\"}}"; var cspReportBytes = Encoding.UTF8.GetBytes(cspReport); using (var ms = new MemoryStream(cspReportBytes)) { mockRequest.Setup(r => r.InputStream).Returns(ms); CspViolationReport violationReport; Assert.IsTrue(helper.TryGetCspReportFromRequest(mockRequest.Object, out violationReport)); var values = violationReport.Details; Assert.IsNotNull(values); Assert.AreEqual("http://localhost/NWebsecMvc3", values.DocumentUri); Assert.AreEqual("script-src 'none'", values.ViolatedDirective); Assert.AreEqual("script-src 'none'; report-uri /NWebsecMvc3/WebResource.axd?cspReport=true", values.OriginalPolicy); Assert.AreEqual("http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js", values.BlockedUri); Assert.AreEqual("", values.Referrer); } }
public void IsRequestForBuiltInCspReportHandler_IsNotBuiltinReportHandler_ReturnsFalse() { var queryParams = new NameValueCollection { { "cspReport", "true" } }; var mockRequest = new Mock <HttpRequestBase>(); mockRequest.Setup(r => r.Path).Returns("/NWebSec/SomeOtherResource"); mockRequest.Setup(r => r.QueryString).Returns(queryParams); var pathHelper = new Mock <ICspReportHandlerPathHelper>(); pathHelper.Setup(h => h.GetBuiltinCspReportHandlerPath()).Returns("/NWebSec/WebResource.axd"); var helper = new CspReportHelper(pathHelper.Object); Assert.IsFalse(helper.IsRequestForBuiltInCspReportHandler(mockRequest.Object)); }
public void GetCspReportFromRequest_IncludesUserAgentInCspReport() { const string userAgent = "Opera, of course!"; var helper = new CspReportHelper(); var mockRequest = new Mock <HttpRequestBase>(); mockRequest.Setup(r => r.UserAgent).Returns(userAgent); const string cspReport = "{\"csp-report\":{\"document-uri\":\"http://localhost/NWebsecMvc3\",\"referrer\":\"\",\"blocked-uri\":\"http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js\",\"violated-directive\":\"script-src 'none'\"}}"; var cspReportBytes = Encoding.UTF8.GetBytes(cspReport); using (var ms = new MemoryStream(cspReportBytes)) { mockRequest.Setup(r => r.InputStream).Returns(ms); CspViolationReport violationReport; Assert.IsTrue(helper.TryGetCspReportFromRequest(mockRequest.Object, out violationReport)); Assert.AreEqual(userAgent, violationReport.UserAgent); } }