/// <summary>
/// Builds the HTTP header value
/// </summary>
/// <returns>A string representing the HTTP header value</returns>
public string BuildHeaderValue()
{
var stringBuilder = new StringBuilder();
switch (OptionValue)
{
case XFrameOptions.deny:
stringBuilder.Append("deny");
break;
case XFrameOptions.sameorigin:
stringBuilder.Append("sameorigin");
break;
case XFrameOptions.allowfrom:
if (string.IsNullOrWhiteSpace(AllowFromDomain))
{
ArgumentExceptionHelper.RaiseException(nameof(AllowFromDomain));
}
stringBuilder.Append("allow-from: ");
stringBuilder.Append(AllowFromDomain);
break;
}
return(stringBuilder.ToString());
}
/// <summary>
/// Builds the HTTP header value
/// </summary>
/// <returns>A string representing the HTTP header value</returns>
public string BuildHeaderValue()
{
var stringBuilder = new StringBuilder();
switch (XssSetting)
{
case XssMode.zero:
stringBuilder.Append(0);
break;
case XssMode.one:
stringBuilder.Append(1);
break;
case XssMode.oneBlock:
stringBuilder.Append("1; mode=block");
break;
case XssMode.oneReport:
if (string.IsNullOrWhiteSpace(ReportUri))
{
ArgumentExceptionHelper.RaiseException(nameof(ReportUri));
}
stringBuilder.Append("1; report=");
stringBuilder.Append(ReportUri);
break;
}
return(stringBuilder.ToString());
}
public string BuildHeaderValue()
{
switch (xPermittedCrossDomainOptionValue)
{
case XPermittedCrossDomainOptionValue.none:
return("none;");
case XPermittedCrossDomainOptionValue.masterOnly:
return("master-only;");
case XPermittedCrossDomainOptionValue.byContentType:
return("by-content-type;");
case XPermittedCrossDomainOptionValue.byFtpFileType:
return("by-ftp-file-type;");
case XPermittedCrossDomainOptionValue.all:
return("all;");
default:
ArgumentExceptionHelper.RaiseException(nameof(xPermittedCrossDomainOptionValue));
break;
}
return(";");
}
/// <summary>
/// Builds the HTTP header value
/// </summary>
/// <returns>A string representing the HTTP header value</returns>
public string BuildHeaderValue()
{
var stringBuilder = new StringBuilder();
switch (OptionValue)
{
case XFrameOptions.Deny:
stringBuilder.Append("DENY");
break;
case XFrameOptions.Sameorigin:
stringBuilder.Append("SAMEORIGIN");
break;
case XFrameOptions.Allowfrom:
if (string.IsNullOrWhiteSpace(AllowFromDomain))
{
ArgumentExceptionHelper.RaiseException(nameof(AllowFromDomain));
}
stringBuilder.Append($"ALLOW-FROM({AllowFromDomain})");
break;
case XFrameOptions.AllowAll:
stringBuilder.Append("ALLOWALL");
break;
}
return(stringBuilder.ToString());
}
public string BuildHeaderValue()
{
switch (ReferrerPolicyOption)
{
case ReferrerPolicyOptions.noReferrer:
return("no-referrer");
case ReferrerPolicyOptions.noReferrerWhenDowngrade:
return("no-referrer-when-downgrade");
case ReferrerPolicyOptions.origin:
return("origin");
case ReferrerPolicyOptions.originWhenCrossOrigin:
return("origin-when-cross-origin");
case ReferrerPolicyOptions.sameOrigin:
return("same-origin");
case ReferrerPolicyOptions.strictOrigin:
return("strict-origin");
case ReferrerPolicyOptions.strictWhenCrossOrigin:
return("strict-origin-when-cross-origin");
case ReferrerPolicyOptions.unsafeUrl:
return("unsafe-url");
default:
ArgumentExceptionHelper.RaiseException(nameof(ReferrerPolicyOption));
break;
}
return(";");
}
public string BuildHeaderValue()
{
if (string.IsNullOrWhiteSpace(OptionValue))
{
ArgumentExceptionHelper.RaiseException(nameof(OptionValue));
}
return(OptionValue);
}
public new string BuildHeaderValue()
{
if (string.IsNullOrWhiteSpace(ReportUri))
{
// We cannot have an empty ReportUri in a Report-Uri only CSP
// Whilst this doesn't break the spec, as it states:
// "The CSP report-uri directive should be used with this header,
// otherwise this header will be an expensive no-op machine"
// the decision has been taken to raise an exception here when
// an empty one has been supplied.
// This decision was taken to ensure that the Report-Uri will
// actually be called - otherwise this response header is useless
ArgumentExceptionHelper.RaiseException(nameof(ReportUri));
}
return(base.BuildHeaderValue());
}
public static SecureHeadersMiddlewareConfiguration UseContentSecurityPolicyReportOnly
(this SecureHeadersMiddlewareConfiguration config, string reportUri,
string pluginTypes = null, bool blockAllMixedContent = true,
bool upgradeInsecureRequests = true, string referrer = null, bool useXContentSecurityPolicy = false)
{
// Check whether the URI is valid before continuing
if (!reportUri.IsValidHttpsUri())
{
ArgumentExceptionHelper.RaiseException(nameof(reportUri));
}
config.UseContentSecurityPolicyReportOnly = true;
config.UseXContentSecurityPolicy = useXContentSecurityPolicy;
config.ContentSecurityPolicyReportOnlyConfiguration = new ContentSecurityPolicyReportOnlyConfiguration
(pluginTypes, blockAllMixedContent, upgradeInsecureRequests, referrer, reportUri);
return(config);
}
/// <summary>
/// Used to set the Content Security Policy URIs for a given <see cref="CspUriType"/>
/// </summary>
public static ContentSecurityPolicyConfiguration SetCspUri
(this ContentSecurityPolicyConfiguration @this, List <ContentSecurityPolicyElement> uris,
CspUriType uriType)
{
switch (uriType)
{
case CspUriType.Base:
@this.BaseUri = uris;
break;
case CspUriType.DefaultUri:
@this.DefaultSrc = uris;
break;
case CspUriType.Script:
@this.ScriptSrc = uris;
break;
case CspUriType.Object:
@this.ObjectSrc = uris;
break;
case CspUriType.Style:
@this.StyleSrc = uris;
break;
case CspUriType.Img:
@this.ImgSrc = uris;
break;
case CspUriType.Media:
@this.MediaSrc = uris;
break;
case CspUriType.Frame:
@this.FrameSrc = uris;
break;
case CspUriType.Child:
@this.ChildSrc = uris;
break;
case CspUriType.FrameAncestors:
@this.FrameAncestors = uris;
break;
case CspUriType.Font:
@this.FontSrc = uris;
break;
case CspUriType.Connect:
@this.ConnectSrc = uris;
break;
case CspUriType.Manifest:
@this.ManifestSrc = uris;
break;
case CspUriType.Form:
@this.FormAction = uris;
break;
default:
ArgumentExceptionHelper.RaiseException(nameof(CspUriType));
break;
}
return(@this);
}
