private void AddClientDependencies(IClientDependencySet dependencySet)
{
foreach (var cssFileDependency in dependencySet.RequiresCss())
{
if (String.IsNullOrEmpty(cssFileDependency.MediaQueryAlias))
{
skinSmall.FileList.Add(cssFileDependency.CssFileAlias);
}
if (cssFileDependency.MediaQueryAlias == skinMedium.MediaConfiguration)
{
skinMedium.FileList.Add(cssFileDependency.CssFileAlias);
}
if (cssFileDependency.MediaQueryAlias == skinLarge.MediaConfiguration)
{
skinLarge.FileList.Add(cssFileDependency.CssFileAlias);
}
}
foreach (var scriptDependency in dependencySet.RequiresJavaScript())
{
skinScript.FileList.Add(scriptDependency.JsFileAlias);
}
var csp = new ContentSecurityPolicyHeaders(Response.Headers);
var cspConfig = new ContentSecurityPolicyFromConfig();
foreach (var contentSecurityPolicy in dependencySet.RequiresContentSecurityPolicy())
{
csp.AppendPolicy(cspConfig.Policies[contentSecurityPolicy.Alias]);
}
csp.UpdateHeaders();
}
private void Show404(Uri requestedUrl)
{
// Return the correct HTTP status code
new Web.HttpStatus().NotFound();
// Set the page title
Page.Title = "Page not found";
var skinnable = Master as BaseMasterPage;
if (skinnable != null)
{
skinnable.Skin = new CustomerFocusSkin();
}
var nonce = Guid.NewGuid().ToString().Replace("-", String.Empty);
var config = new ContentSecurityPolicyFromConfig();
var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude);
if (filter.ApplyPolicy() && !Response.HeadersWritten)
{
new ContentSecurityPolicyHeaders(Response.Headers).AppendPolicy($"script-src 'nonce-{nonce}'").UpdateHeaders();
}
// Configure the tracking script and track the 404 with Google Analytics
script.TagName = "script";
script.Attributes.Add("nonce", nonce);
if (requestedUrl != null)
{
script.Attributes.Add("data-request", Server.HtmlEncode(Regex.Replace(requestedUrl.PathAndQuery, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty)));
}
var normalisedReferrer = String.Empty;
try
{
if (Request.UrlReferrer != null)
{
normalisedReferrer = Request.UrlReferrer.ToString().Replace("'", "\'");
}
}
catch (UriFormatException)
{
// Catch this error and simply ignore the referrer if it is an invalid URI, which can happen in a hacking scenario.
// For example, if the request contains an invalid referring URL such as http://google.com', when you access the
// Request.UrlReferrer property .NET creates a Uri instance which throws this exception.
}
script.Attributes.Add("data-referrer", Server.HtmlEncode(Regex.Replace(normalisedReferrer, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty)));
}
/// <summary>
/// Handles the Load event of the Page control.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
protected void Page_Load(object sender, EventArgs e)
{
// Common headers for all master pages: Force IE to use latest rendering engine or Chrome Frame
Response.AddHeader("X-UA-Compatible", "IE=edge,chrome=1");
// Google recommends specifying this to ensure proxy caches don't serve our mobile template to desktop users
// ...but it doesn't work as ASP.NET ignores it. Also gzip uses Vary: Accept-encoding.
// https://developers.google.com/webmasters/smartphone-sites/details
// Response.AddHeader("Vary", "User-Agent");
// In rare circumstances Azure can return a value for Request.Url.Authority which is not correct. Since
// Request.Url.Authority is used to load client-side assets, ensure it is always allowed by the content security policy.
var config = new ContentSecurityPolicyFromConfig();
var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude);
if (filter.ApplyPolicy() && !Response.HeadersWritten)
{
new ContentSecurityPolicyHeaders(Response.Headers)
.AppendPolicy($"script-src {Request.Url.GetLeftPart(UriPartial.Authority)}; style-src {Request.Url.GetLeftPart(UriPartial.Authority)}; img-src {Request.Url.GetLeftPart(UriPartial.Authority)}")
.UpdateHeaders();
}
}
