public XfoMiddleware(AppFunc next, XFrameOptions options)
: base(next)
{
_config = options;
var headerGenerator = new HeaderGenerator();
_headerResult = headerGenerator.CreateXfoResult(_config);
}
public XfoMiddleware(RequestDelegate next, XFrameOptions options)
: base(next)
{
_config = options;
var headerGenerator = new HeaderGenerator();
_headerResult = headerGenerator.CreateXfoResult(_config);
}
public static void Frameguard(this IAppBuilder app, XFrameOptions xFrameOptions, Uri uri = null)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
app.Use<FrameguardMiddleware>(xFrameOptions, uri);
}
public static void Frameguard(this IAppBuilder app, XFrameOptions xFrameOptions, Uri uri = null)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
app.Use <FrameguardMiddleware>(xFrameOptions, uri);
}
/// <summary>
/// Declares a policy communicated from a host to the client browser on whether
/// the browser must not display the transmitted content in frames of other web pages
/// </summary>
/// <param name="xFrameOption">
/// Whether or not we should allow rendering this site within a frame.
/// Applicable values are: deny; sameorigin; and allowfrom
/// </param>
/// <param name="domain">
/// If allowfrom is supplied, this optional parameter describes the domain in which
/// our site is permitted to be loaded within a frame
/// </param>
/// <remarks>
/// If no value for <param name="xFrameOption"/> is rovided, then default one will be
/// used. This default value is based on the OWASP best practises value for X-Frame-Options.
/// </remarks>
public static SecureHeadersMiddlewareConfiguration UseXFrameOptions
(this SecureHeadersMiddlewareConfiguration config,
XFrameOptions xFrameOption = XFrameOptions.Deny,
string domain = null)
{
config.UseXFrameOptions = true;
config.XFrameOptionsConfiguration = new XFrameOptionsConfiguration(xFrameOption, domain);
return(config);
}
public FrameguardMiddleware(
OwinMiddleware next,
XFrameOptions xFrameOptions,
Uri uri = null) : base(next)
{
if (xFrameOptions == XFrameOptions.AllowFrom && uri == null)
{
throw new ArgumentNullException(nameof(uri));
}
_xFrameOptions = xFrameOptions;
_uri = uri;
}
public FrameguardMiddleware(
OwinMiddleware next,
XFrameOptions xFrameOptions,
Uri uri = null) : base(next)
{
if (xFrameOptions == XFrameOptions.AllowFrom && uri == null)
{
throw new ArgumentNullException(nameof(uri));
}
_xFrameOptions = xFrameOptions;
_uri = uri;
}
/// <summary>
/// Adds a middleware to the ASP.NET Core pipeline that sets the X-Frame-Options header.
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder" /> to which the middleware is added.</param>
/// <param name="configurer">An <see cref="Action" /> that configures the options for the middleware.</param>
/// <returns>The <see cref="IApplicationBuilder" /> supplied in the app parameter.</returns>
public static IApplicationBuilder UseXfo(this IApplicationBuilder app, Action <IFluentXFrameOptions> configurer)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
if (configurer == null)
{
throw new ArgumentNullException(nameof(configurer));
}
var options = new XFrameOptions();
configurer(options);
return(app.UseMiddleware <XfoMiddleware>(options));
}
public XFrameOptionsAttribute(XFrameOptions type, string allowFrom = null)
{
switch (type)
{
case XFrameOptions.Deny:
Value = "deny";
break;
case XFrameOptions.SameOrigin:
Value = "deny";
break;
case XFrameOptions.AllowFrom:
Value = $"allow-from {allowFrom}";
break;
case XFrameOptions.AllowAll:
Value = "allow-all";
break;
default:
throw new ArgumentOutOfRangeException(nameof(type), type, null);
}
}
/// <summary>
/// The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
/// The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.
/// </summary>
/// <param name="builder"></param>
/// <param name="value"></param>
/// <param name="allowFromUri"></param>
/// <returns></returns>
public static IApplicationBuilder AddXFrameOptions(this IApplicationBuilder builder, XFrameOptions value)
{
builder.Use((context, next) =>
{
context.Response.SetXFrameOptions(value);
return(next());
});
return(builder);
}
public void Setup()
{
_options = new XFrameOptions();
}
public void Setup()
{
_options = new XFrameOptions();
}
public XFrameOptionsConfiguration(XFrameOptions xFrameOption, string allowFromDomain)
{
OptionValue = xFrameOption;
AllowFromDomain = allowFromDomain;
}
public XFrameOptionsTests()
{
_options = new XFrameOptions();
}
