/// <summary>
/// Initializes a new instance of the <see cref="XXssProtectionAttribute"/> class
/// </summary>
public XXssProtectionAttribute()
{
_config = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterEnabled, BlockMode = true
};
_headerConfigurationOverrideHelper = new HeaderConfigurationOverrideHelper();
_headerOverrideHelper = new HeaderOverrideHelper(new CspReportHelper());
}
public void GetXXssProtectionConfiguration_NoOwinContext_ReturnsSystemWebConfig()
{
var config = new XXssProtectionConfiguration();
_systemWebContext.XXssProtection = config;
var result = _contextHelper.GetXXssProtectionConfiguration(_mockContext);
Assert.Same(config, result);
}
public void GetXXssProtectionConfiguration_ReturnsContextConfig()
{
var config = new XXssProtectionConfiguration();
_nwContext.XXssProtection = config;
var result = _contextHelper.GetXXssProtectionConfiguration(_mockContext);
Assert.Same(config, result);
}
public void CreateXXssProtectionResult_Disabled_ReturnsNull()
{
var xssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.Disabled
};
var result = _generator.CreateXXssProtectionResult(xssProtection);
Assert.Null(result);
}
public void GetXXssProtectionWithOverride_ConfigOverriden_ReturnsOverrideElement()
{
var configOverride = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterEnabled
};
_headerConfigurationOverrideHelper.SetXXssProtectionOverride(_mockContext, configOverride);
Assert.AreSame(configOverride, _headerConfigurationOverrideHelper.GetXXssProtectionWithOverride(_mockContext));
}
public void GetXXssProtectionConfiguration_HasOwinConfig_ReturnsOwinConfig()
{
SetupOwinContext();
var config = new XXssProtectionConfiguration();
_owinContext.XXssProtection = config;
var result = _contextHelper.GetXXssProtectionConfiguration(_mockContext);
Assert.Same(config, result);
}
public void GetXXssProtectionConfiguration_OwinContextWithoutConfig_ReturnsSystemWebConfig()
{
SetupOwinContext();
var config = new XXssProtectionConfiguration();
_systemWebContext.XXssProtection = config;
var result = _contextHelper.GetXXssProtectionConfiguration(_mockContext);
Assert.AreSame(config, result);
}
public void SetXXssProtectionHeader_NoOverride_DoesNothing()
{
var contextConfig = new XXssProtectionConfiguration();
_contextHelper.Setup(h => h.GetXXssProtectionConfiguration(It.IsAny <HttpContextBase>())).Returns(contextConfig);
_configurationOverrideHelper.Setup(h => h.GetXXssProtectionWithOverride(It.IsAny <HttpContextBase>())).Returns((XXssProtectionConfiguration)null);
_overrideHelper.SetXXssProtectionHeader(_mockContext);
_headerGenerator.Verify(g => g.CreateXXssProtectionResult(It.IsAny <XXssProtectionConfiguration>(), It.IsAny <XXssProtectionConfiguration>()), Times.Never);
_headerResultHandler.Verify(h => h.HandleHeaderResult(It.IsAny <HttpResponseBase>(), It.IsAny <HeaderResult>()), Times.Never);
}
public void SetXXssProtectionHeader_Override_CreatesAndHandlesHeaderResult()
{
var contextConfig = new XXssProtectionConfiguration();
var overrideConfig = new XXssProtectionConfiguration();
_contextHelper.Setup(h => h.GetXXssProtectionConfiguration(It.IsAny <HttpContextBase>())).Returns(contextConfig);
_configurationOverrideHelper.Setup(h => h.GetXXssProtectionWithOverride(It.IsAny <HttpContextBase>())).Returns(overrideConfig);
_headerGenerator.Setup(g => g.CreateXXssProtectionResult(overrideConfig, contextConfig)).Returns(_expectedHeaderResult);
_overrideHelper.SetXXssProtectionHeader(_mockContext);
_headerResultHandler.Verify(h => h.HandleHeaderResult(It.IsAny <HttpResponseBase>(), _expectedHeaderResult), Times.Once);
}
public void CreateXXssProtectionResult_FilterEnabledPolicyWithBlockmode_ReturnsSetXssProtectionEnabledWithBlockModeResult()
{
var xssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterEnabled, BlockMode = true
};
var result = _generator.CreateXXssProtectionResult(xssProtection);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal("X-XSS-Protection", result.Name);
Assert.Equal("1; mode=block", result.Value);
}
public void CreateXXssProtectionResult_FilterDisabledPolicy_ReturnsSetXXssProtectionDisabledResult()
{
var xssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterDisabled
};
var result = _generator.CreateXXssProtectionResult(xssProtection);
Assert.NotNull(result);
Assert.Equal(HeaderResult.ResponseAction.Set, result.Action);
Assert.Equal("X-XSS-Protection", result.Name);
Assert.Equal("0", result.Value);
}
public void CreateXXssProtectionResult_DisabledWithFilterEnabledinOldconfig_ReturnsRemoveXXssProtectionResult()
{
var oldXssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterDisabled
};
var xssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.Disabled
};
var result = _generator.CreateXXssProtectionResult(xssProtection, oldXssProtection);
Assert.NotNull(result);
Assert.Equal("X-XSS-Protection", result.Name);
Assert.Equal(HeaderResult.ResponseAction.Remove, result.Action);
}
public void CreateXXssProtectionResult_FilterEnabledPolicyWithFilterEnabledinOldconfig_ReturnsSetXXssProtectionEnabledResult()
{
var oldXssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterEnabled
};
var xssProtection = new XXssProtectionConfiguration {
Policy = XXssPolicy.FilterEnabled
};
var result = _generator.CreateXXssProtectionResult(xssProtection, oldXssProtection);
Assert.IsNotNull(result);
Assert.AreEqual(HeaderResult.ResponseAction.Set, result.Action);
Assert.AreEqual("X-XSS-Protection", result.Name);
Assert.AreEqual("1", result.Value);
}
