Пример #1
0
 public HttpHeaderSecurityModule()
 {
     _cspReportHelper          = new CspReportHelper();
     _configHeaderSetter       = new ConfigurationHeaderSetter();
     _handlerTypeHelper        = new HandlerTypeHelper();
     _redirectValidationHelper = new RedirectValidationHelper();
 }
Пример #2
0
        public void GetCspReportFromRequest_FromChrome_ReadsCspReportFromRequest()
        {
            var          helper      = new CspReportHelper();
            var          mockRequest = new Mock <HttpRequestBase>();
            const string cspReport   =
                "{\"csp-report\":{\"document-uri\":\"http://localhost/NWebsecMvc3\",\"violated-directive\":\"script-src 'none'\",\"original-policy\":\"script-src 'none'; report-uri /NWebsecMvc3/WebResource.axd?cspReport=true\",\"blocked-uri\":\"http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js\"}}";
            var cspReportBytes = Encoding.UTF8.GetBytes(cspReport);

            using (var ms = new MemoryStream(cspReportBytes))
            {
                mockRequest.Setup(r => r.InputStream).Returns(ms);

                CspViolationReport violationReport;
                Assert.IsTrue(helper.TryGetCspReportFromRequest(mockRequest.Object, out violationReport));
                var values = violationReport.Details;

                Assert.IsNotNull(values);
                Assert.AreEqual("http://localhost/NWebsecMvc3", values.DocumentUri);
                Assert.AreEqual("script-src 'none'", values.ViolatedDirective);
                Assert.AreEqual("script-src 'none'; report-uri /NWebsecMvc3/WebResource.axd?cspReport=true",
                                values.OriginalPolicy);
                Assert.AreEqual("http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js", values.BlockedUri);
                Assert.AreEqual("", values.Referrer);
            }
        }
Пример #3
0
        public void IsRequestForBuiltInCspReportHandler_IsNotBuiltinReportHandler_ReturnsFalse()
        {
            var queryParams = new NameValueCollection {
                { "cspReport", "true" }
            };
            var mockRequest = new Mock <HttpRequestBase>();

            mockRequest.Setup(r => r.Path).Returns("/NWebSec/SomeOtherResource");
            mockRequest.Setup(r => r.QueryString).Returns(queryParams);
            var pathHelper = new Mock <ICspReportHandlerPathHelper>();

            pathHelper.Setup(h => h.GetBuiltinCspReportHandlerPath()).Returns("/NWebSec/WebResource.axd");

            var helper = new CspReportHelper(pathHelper.Object);

            Assert.IsFalse(helper.IsRequestForBuiltInCspReportHandler(mockRequest.Object));
        }
Пример #4
0
        public void GetCspReportFromRequest_IncludesUserAgentInCspReport()
        {
            const string userAgent   = "Opera, of course!";
            var          helper      = new CspReportHelper();
            var          mockRequest = new Mock <HttpRequestBase>();

            mockRequest.Setup(r => r.UserAgent).Returns(userAgent);
            const string cspReport =
                "{\"csp-report\":{\"document-uri\":\"http://localhost/NWebsecMvc3\",\"referrer\":\"\",\"blocked-uri\":\"http://localhost/NWebsecMvc3/Scripts/jquery-1.7.1.min.js\",\"violated-directive\":\"script-src 'none'\"}}";
            var cspReportBytes = Encoding.UTF8.GetBytes(cspReport);

            using (var ms = new MemoryStream(cspReportBytes))
            {
                mockRequest.Setup(r => r.InputStream).Returns(ms);

                CspViolationReport violationReport;
                Assert.IsTrue(helper.TryGetCspReportFromRequest(mockRequest.Object, out violationReport));

                Assert.AreEqual(userAgent, violationReport.UserAgent);
            }
        }