The next generation of the Teknik Services. Written in ASP.NET. https://www.teknik.io/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

CSPModule.cs 1.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Web;
  5. using Teknik.Configuration;
  6. using Teknik.Utilities;
  7. namespace Teknik.Modules
  8. {
  9. public class CSPModule : IHttpModule
  10. {
  11. public void Dispose()
  12. {
  13. }
  14. public void Init(HttpApplication context)
  15. {
  16. context.PreSendRequestHeaders += delegate (object sender, EventArgs args)
  17. {
  18. HttpContext requestContext = ((HttpApplication)sender).Context;
  19. if (!requestContext.Request.IsLocal)
  20. {
  21. // Default to nothing allowed
  22. string allowedDomain = "'none'";
  23. // Allow this domain
  24. string host = requestContext.Request.Url.Host;
  25. if (!string.IsNullOrEmpty(host))
  26. {
  27. string domain = host.GetDomain();
  28. allowedDomain = string.Format("*.{0} {0}", domain);
  29. }
  30. // If a CDN is enabled, then add the cdn host
  31. Config config = Config.Load();
  32. if (config.UseCdn)
  33. {
  34. allowedDomain += " " + config.CdnHost;
  35. }
  36. requestContext.Response.AppendHeader("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, requestContext.Items[Constants.NONCE_KEY]));
  37. }
  38. };
  39. }
  40. }
  41. }