Teknikode
/
Teknik
Watch 3
Star 18
Fork 4
Code Issues 39 Pull Requests 0 Releases 3 Wiki Activity
The next generation of the Teknik Services. Written in ASP.NET. https://www.teknik.io/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
709 Commits
2 Branches
Tree: bbaf251525
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bbaf251525'
${ noResults }
Teknik/IdentityServer/Middleware/CSPMiddleware.cs

CSPMiddleware.cs 2.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. using System;

  2. using System.Collections.Generic;

  3. using System.Linq;

  4. using System.Threading.Tasks;

  5. using Microsoft.AspNetCore.Builder;

  6. using Microsoft.AspNetCore.Http;

  7. using Teknik.Configuration;

  8. using Teknik.Utilities;

  9. 

  10. namespace Teknik.IdentityServer.Middleware

  11. {

  12.     // You may need to install the Microsoft.AspNetCore.Http.Abstractions package into your project

  13.     public class CSPMiddleware

  14.     {

  15.         private readonly RequestDelegate _next;

  16. 

  17.         public CSPMiddleware(RequestDelegate next)

  18.         {

  19.             _next = next;

  20.         }

  21. 

  22.         public Task Invoke(HttpContext httpContext, Config config)

  23.         {

  24.             if (!httpContext.Request.IsLocal())

  25.             {

  26.                 // Default to nothing allowed

  27.                 string allowedDomain = "'none'";

  28. 

  29.                 // Allow this domain

  30.                 string host = httpContext.Request.Headers["Host"];

  31. 

  32.                 if (!string.IsNullOrEmpty(host))

  33.                 {

  34.                     allowedDomain = host;

  35.                 }

  36. 

  37.                 var csp = string.Format(

  38.                     "default-src 'none'; " +

  39.                     "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +

  40.                     "style-src 'unsafe-inline' {0}; " +

  41.                     "img-src data: *; " +

  42.                     "font-src data: {0}; " +

  43.                     "connect-src wss: blob: data: {0}; " +

  44.                     "media-src *; " +

  45.                     "worker-src blob: mediastream: {0}; " +

  46.                     "form-action {0}; " +

  47.                     "base-uri {0}; " +

  48.                     "frame-ancestors {0};",

  49.                     allowedDomain,

  50.                     httpContext.Items[Constants.NONCE_KEY]);

  51. 

  52.                 if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy"))

  53.                 {

  54.                     httpContext.Response.Headers.Add("Content-Security-Policy", csp);

  55.                 }

  56.                 // and once again for IE

  57.                 if (!httpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))

  58.                 {

  59.                     httpContext.Response.Headers.Add("X-Content-Security-Policy", csp);

  60.                 }

  61.             }

  62. 

  63.             return _next(httpContext);

  64.         }

  65.     }

  66. 

  67.     // Extension method used to add the middleware to the HTTP request pipeline.

  68.     public static class CSPMiddlewareExtensions

  69.     {

  70.         public static IApplicationBuilder UseCSP(this IApplicationBuilder builder)

  71.         {

  72.             return builder.UseMiddleware<CSPMiddleware>();

  73.         }

  74.     }

  75. }