Browse Source
Merge pull request #16758 from abpframework/salihozkara/CSPIgnore
Add AbpSecurityIgnoreAttribute
pull/16760/head
Salih
3 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with
43 additions and
1 deletions
-
docs/en/UI/AspNetCore/Security-Headers.md
-
framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
-
framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs
-
modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs
|
|
|
@ -74,3 +74,26 @@ Configure<AbpSecurityHeadersOptions>(options => |
|
|
|
}); |
|
|
|
}); |
|
|
|
``` |
|
|
|
|
|
|
|
### Ignore Abp Security Headers |
|
|
|
|
|
|
|
You can ignore the Abp Security Headers for some actions or pages. You can use the `IgnoreAbpSecurityHeaderAttribute` attribute for this. |
|
|
|
|
|
|
|
**Example:** |
|
|
|
|
|
|
|
```csharp |
|
|
|
@using Volo.Abp.AspNetCore.Security |
|
|
|
@attribute [IgnoreAbpSecurityHeaderAttribute] |
|
|
|
``` |
|
|
|
|
|
|
|
**Example:** |
|
|
|
|
|
|
|
```csharp |
|
|
|
[IgnoreAbpSecurityHeaderAttribute] |
|
|
|
public class IndexModel : AbpPageModel |
|
|
|
{ |
|
|
|
public void OnGet() |
|
|
|
{ |
|
|
|
} |
|
|
|
} |
|
|
|
``` |
|
|
|
@ -33,11 +33,19 @@ public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency |
|
|
|
|
|
|
|
var requestAcceptTypeHtml = context.Request.Headers["Accept"].Any(x => |
|
|
|
x.Contains("text/html") || x.Contains("*/*") || x.Contains("application/xhtml+xml")); |
|
|
|
|
|
|
|
var endpoint = context.GetEndpoint(); |
|
|
|
|
|
|
|
if (endpoint?.Metadata.GetMetadata<IgnoreAbpSecurityHeaderAttribute>() != null) |
|
|
|
{ |
|
|
|
await next.Invoke(context); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
if (!requestAcceptTypeHtml |
|
|
|
|| !Options.Value.UseContentSecurityPolicyHeader |
|
|
|
|| await AlwaysIgnoreContentTypes(context) |
|
|
|
|| context.GetEndpoint() == null |
|
|
|
|| endpoint == null |
|
|
|
|| Options.Value.IgnoredScriptNoncePaths.Any(x => context.Request.Path.StartsWithSegments(x.EnsureStartsWith('/')))) |
|
|
|
{ |
|
|
|
AddOtherHeaders(context); |
|
|
|
|
|
|
|
@ -0,0 +1,9 @@ |
|
|
|
using System; |
|
|
|
|
|
|
|
namespace Volo.Abp.AspNetCore.Security; |
|
|
|
|
|
|
|
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)] |
|
|
|
public class IgnoreAbpSecurityHeaderAttribute : Attribute |
|
|
|
{ |
|
|
|
|
|
|
|
} |
|
|
|
@ -10,6 +10,7 @@ using Microsoft.AspNetCore.Mvc; |
|
|
|
using Microsoft.Extensions.Primitives; |
|
|
|
using OpenIddict.Abstractions; |
|
|
|
using OpenIddict.Server.AspNetCore; |
|
|
|
using Volo.Abp.AspNetCore.Security; |
|
|
|
using Volo.Abp.OpenIddict.ViewModels.Authorization; |
|
|
|
|
|
|
|
namespace Volo.Abp.OpenIddict.Controllers; |
|
|
|
@ -20,6 +21,7 @@ public class AuthorizeController : AbpOpenIdDictControllerBase |
|
|
|
{ |
|
|
|
[HttpGet, HttpPost] |
|
|
|
[IgnoreAntiforgeryToken] |
|
|
|
[IgnoreAbpSecurityHeader] |
|
|
|
public virtual async Task<IActionResult> HandleAsync() |
|
|
|
{ |
|
|
|
var request = await GetOpenIddictServerRequestAsync(HttpContext); |
|
|
|
|
