From a5601199c0a55b1f2162423d3b113935e715593a Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 08:31:06 +0300 Subject: [PATCH 1/7] Add AbpSecurityHeader ignore attribute --- .../Security/AbpSecurityHeadersMiddleware.cs | 14 +++++++++++++- .../AspNetCore/Security/IgnoreAbpSecurityHeader.cs | 8 ++++++++ .../OpenIddict/Controllers/AuthorizeController.cs | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs index f328cd27ae..e414ab2147 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs @@ -33,11 +33,23 @@ public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency var requestAcceptTypeHtml = context.Request.Headers["Accept"].Any(x => x.Contains("text/html") || x.Contains("*/*") || x.Contains("application/xhtml+xml")); + + var endpoint = context.GetEndpoint(); + + if (endpoint != null) + { + var ignore = endpoint.Metadata.GetMetadata() != null; + if (ignore) + { + await next.Invoke(context); + return; + } + } if (!requestAcceptTypeHtml || !Options.Value.UseContentSecurityPolicyHeader || await AlwaysIgnoreContentTypes(context) - || context.GetEndpoint() == null + || endpoint == null || Options.Value.IgnoredScriptNoncePaths.Any(x => context.Request.Path.StartsWithSegments(x.EnsureStartsWith('/')))) { AddOtherHeaders(context); diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs new file mode 100644 index 0000000000..d8f772fad6 --- /dev/null +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs @@ -0,0 +1,8 @@ +using System; + +namespace Volo.Abp.AspNetCore.Security; + +public class IgnoreAbpSecurityHeaderAttribute : Attribute +{ + +} \ No newline at end of file diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs index 961252aae7..f0b04b21d5 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs @@ -10,6 +10,7 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Primitives; using OpenIddict.Abstractions; using OpenIddict.Server.AspNetCore; +using Volo.Abp.AspNetCore.Security; using Volo.Abp.OpenIddict.ViewModels.Authorization; namespace Volo.Abp.OpenIddict.Controllers; @@ -19,7 +20,7 @@ namespace Volo.Abp.OpenIddict.Controllers; public class AuthorizeController : AbpOpenIdDictControllerBase { [HttpGet, HttpPost] - [IgnoreAntiforgeryToken] + [IgnoreAntiforgeryToken, IgnoreAbpSecurityHeader] public virtual async Task HandleAsync() { var request = await GetOpenIddictServerRequestAsync(HttpContext); From 8ffcb588ff08d8b1f6fdd360c42616ae22288d73 Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 08:49:54 +0300 Subject: [PATCH 2/7] Update Security-Headers.md --- docs/en/UI/AspNetCore/Security-Headers.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/en/UI/AspNetCore/Security-Headers.md b/docs/en/UI/AspNetCore/Security-Headers.md index b02e9691b0..dad20089a6 100644 --- a/docs/en/UI/AspNetCore/Security-Headers.md +++ b/docs/en/UI/AspNetCore/Security-Headers.md @@ -74,3 +74,26 @@ Configure(options => }); }); ``` + +### Ignore Abp Security Headers + +You can ignore the Abp Security Headers for some actions or pages. You can use the `IgnoreAbpSecurityHeaderAttribute` attribute for this. + +**Example:** + +```csharp +@using Volo.Abp.AspNetCore.Security +@attribute [IgnoreAbpSecurityHeaderAttribute] +``` + +**Example:** + +```csharp +[IgnoreAbpSecurityHeaderAttribute] +public class IndexModel : AbpPageModel +{ + public void OnGet() + { + } +} +``` \ No newline at end of file From 1993226525e8bb52f5bbdc8efa65e72e9ddf7db5 Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 08:55:34 +0300 Subject: [PATCH 3/7] Update AbpSecurityHeadersMiddleware.cs --- .../Security/AbpSecurityHeadersMiddleware.cs | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs index e414ab2147..b1068bbe85 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs @@ -35,15 +35,11 @@ public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency x.Contains("text/html") || x.Contains("*/*") || x.Contains("application/xhtml+xml")); var endpoint = context.GetEndpoint(); - - if (endpoint != null) + + if (endpoint?.Metadata.GetMetadata() != null) { - var ignore = endpoint.Metadata.GetMetadata() != null; - if (ignore) - { - await next.Invoke(context); - return; - } + await next.Invoke(context); + return; } if (!requestAcceptTypeHtml From b4611334ace12f62f4601fda893cdad627e09999 Mon Sep 17 00:00:00 2001 From: maliming Date: Tue, 6 Jun 2023 13:56:21 +0800 Subject: [PATCH 4/7] Update IgnoreAbpSecurityHeader.cs --- .../Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs index d8f772fad6..aeae8526c2 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs @@ -2,7 +2,8 @@ namespace Volo.Abp.AspNetCore.Security; +[AttributeUsage(AttributeTargets.Class)] public class IgnoreAbpSecurityHeaderAttribute : Attribute { -} \ No newline at end of file +} From 96f6c0ff6c893f19b9f018639f667be86315fda3 Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 09:40:47 +0300 Subject: [PATCH 5/7] Update --- .../Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs | 2 -- .../Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs index aeae8526c2..df85511f51 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs @@ -1,8 +1,6 @@ using System; namespace Volo.Abp.AspNetCore.Security; - -[AttributeUsage(AttributeTargets.Class)] public class IgnoreAbpSecurityHeaderAttribute : Attribute { diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs index f0b04b21d5..329210b6bd 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs @@ -20,7 +20,7 @@ namespace Volo.Abp.OpenIddict.Controllers; public class AuthorizeController : AbpOpenIdDictControllerBase { [HttpGet, HttpPost] - [IgnoreAntiforgeryToken, IgnoreAbpSecurityHeader] + [IgnoreAntiforgeryToken] public virtual async Task HandleAsync() { var request = await GetOpenIddictServerRequestAsync(HttpContext); From 266815796ddca2dd0deab11c580853c82b41244d Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 09:45:43 +0300 Subject: [PATCH 6/7] Update IgnoreAbpSecurityHeader.cs --- .../Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs index df85511f51..fb9e7717f3 100644 --- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs +++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/IgnoreAbpSecurityHeader.cs @@ -1,6 +1,8 @@ using System; namespace Volo.Abp.AspNetCore.Security; + +[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)] public class IgnoreAbpSecurityHeaderAttribute : Attribute { From 2b6d5814c0b19c820f59bee528cef7bebe3e51b0 Mon Sep 17 00:00:00 2001 From: Salih Date: Tue, 6 Jun 2023 09:50:59 +0300 Subject: [PATCH 7/7] Update AuthorizeController.cs --- .../Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs index 329210b6bd..f4d7008ef5 100644 --- a/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs +++ b/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs @@ -21,6 +21,7 @@ public class AuthorizeController : AbpOpenIdDictControllerBase { [HttpGet, HttpPost] [IgnoreAntiforgeryToken] + [IgnoreAbpSecurityHeader] public virtual async Task HandleAsync() { var request = await GetOpenIddictServerRequestAsync(HttpContext);