public void UrlIsExcluded() { var excludedUrls = new Uri[] { new Uri("/example/excluded.html", UriKind.Relative) }; var filter = new ContentSecurityPolicyUrlFilter(new Uri("https://www.example.org/example/excluded.html"), excludedUrls); Assert.IsFalse(filter.ApplyPolicy()); }
private void Show404(Uri requestedUrl) { // Return the correct HTTP status code new Web.HttpStatus().NotFound(); // Set the page title Page.Title = "Page not found"; var skinnable = Master as BaseMasterPage; if (skinnable != null) { skinnable.Skin = new CustomerFocusSkin(); } var nonce = Guid.NewGuid().ToString().Replace("-", String.Empty); var config = new ContentSecurityPolicyFromConfig(); var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude); if (filter.ApplyPolicy() && !Response.HeadersWritten) { new ContentSecurityPolicyHeaders(Response.Headers).AppendPolicy($"script-src 'nonce-{nonce}'").UpdateHeaders(); } // Configure the tracking script and track the 404 with Google Analytics script.TagName = "script"; script.Attributes.Add("nonce", nonce); if (requestedUrl != null) { script.Attributes.Add("data-request", Server.HtmlEncode(Regex.Replace(requestedUrl.PathAndQuery, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty))); } var normalisedReferrer = String.Empty; try { if (Request.UrlReferrer != null) { normalisedReferrer = Request.UrlReferrer.ToString().Replace("'", "\'"); } } catch (UriFormatException) { // Catch this error and simply ignore the referrer if it is an invalid URI, which can happen in a hacking scenario. // For example, if the request contains an invalid referring URL such as http://google.com', when you access the // Request.UrlReferrer property .NET creates a Uri instance which throws this exception. } script.Attributes.Add("data-referrer", Server.HtmlEncode(Regex.Replace(normalisedReferrer, @"[^A-Za-z0-9/\-_\.\?=:#+%]", String.Empty))); }
/// <summary> /// Handles the Load event of the Page control. /// </summary> /// <param name="sender">The source of the event.</param> /// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param> protected void Page_Load(object sender, EventArgs e) { // Common headers for all master pages: Force IE to use latest rendering engine or Chrome Frame Response.AddHeader("X-UA-Compatible", "IE=edge,chrome=1"); // Google recommends specifying this to ensure proxy caches don't serve our mobile template to desktop users // ...but it doesn't work as ASP.NET ignores it. Also gzip uses Vary: Accept-encoding. // https://developers.google.com/webmasters/smartphone-sites/details // Response.AddHeader("Vary", "User-Agent"); // In rare circumstances Azure can return a value for Request.Url.Authority which is not correct. Since // Request.Url.Authority is used to load client-side assets, ensure it is always allowed by the content security policy. var config = new ContentSecurityPolicyFromConfig(); var filter = new ContentSecurityPolicyUrlFilter(Request.Url, config.UrlsToExclude); if (filter.ApplyPolicy() && !Response.HeadersWritten) { new ContentSecurityPolicyHeaders(Response.Headers) .AppendPolicy($"script-src {Request.Url.GetLeftPart(UriPartial.Authority)}; style-src {Request.Url.GetLeftPart(UriPartial.Authority)}; img-src {Request.Url.GetLeftPart(UriPartial.Authority)}") .UpdateHeaders(); } }
private void AddClientDependencies(IClientDependencySet dependencySet) { foreach (var cssFileDependency in dependencySet.RequiresCss()) { if (String.IsNullOrEmpty(cssFileDependency.MediaQueryAlias)) { skinSmall.FileList.Add(cssFileDependency.CssFileAlias); } if (cssFileDependency.MediaQueryAlias == skinMedium.MediaConfiguration) { skinMedium.FileList.Add(cssFileDependency.CssFileAlias); } if (cssFileDependency.MediaQueryAlias == skinLarge.MediaConfiguration) { skinLarge.FileList.Add(cssFileDependency.CssFileAlias); } } foreach (var scriptDependency in dependencySet.RequiresJavaScript()) { skinScript.FileList.Add(scriptDependency.JsFileAlias); } var cspConfig = new ContentSecurityPolicyFromConfig(); var filter = new ContentSecurityPolicyUrlFilter(Request.Url, cspConfig.UrlsToExclude); if (filter.ApplyPolicy() && !Response.HeadersWritten) { var csp = new ContentSecurityPolicyHeaders(Response.Headers); foreach (var contentSecurityPolicy in dependencySet.RequiresContentSecurityPolicy()) { csp.AppendPolicy(cspConfig.Policies[contentSecurityPolicy.Alias]); } csp.UpdateHeaders(); } }