Пример #1
0
        public async Task When_adding_csp_middleware_a_response_should_serve_the_csp_header()
        {
            var config = new ContentSecurityPolicyConfiguration();

            config.ScriptSrc.AddScheme("https:");
            config.ImgSrc.AddKeyword(SourceListKeyword.Self);
            var client   = CspClientHelper.Create(config);
            var response = await client.GetAsync("https://wwww.example.com");

            response.Csp().Should().NotBeNullOrWhiteSpace();
        }
Пример #2
0
        public async Task When_adding_csp_middleware_the_response_should_contain_the_expected_csp_directives()
        {
            var config = new ContentSecurityPolicyConfiguration();

            config.ScriptSrc.AddScheme("https:");
            config.ImgSrc.AddKeyword(SourceListKeyword.Self);
            var client   = CspClientHelper.Create(config);
            var response = await client.GetAsync("https://wwww.example.com");

            var headerValue = response.Csp();
            var values      = headerValue.Split(new[] { ";" }, StringSplitOptions.None).Select(i => i.Trim()).ToList();

            values.Count.Should().Be(2);
            values.Should().Contain(i => i.Equals("img-src 'self'"));
            values.Should().Contain(i => i.Equals("script-src https:"));
        }
Пример #3
0
        public async Task When_adding_csp_middleware_and_another_middleware_has_already_added_a_csp_header_the_middlewar_should_not_add_the_header()
        {
            var cfg = new ContentSecurityPolicyConfiguration();

            cfg.ScriptSrc.AddKeyword(SourceListKeyword.Self);
            var client = CspClientHelper.Create(cfg,
                                                builder => builder.Use(async(ctx, next) => {
                ctx.Response.OnSendingHeaders(ctx2 => {
                    ((IOwinResponse)ctx2).Headers.Add(HeaderConstants.ContentSecurityPolicy, new [] { "Dummy" });
                }, ctx.Response);
                await next();
            }));
            var resp = await client.GetAsync("http://www.example.com");

            var header = resp.Csp();

            header.ShouldEqual("Dummy");
        }