tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Versatile OpenID Connect stack for ASP.NET Core and Microsoft.Owin (compatible with ASP.NET 4.6.1)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 Commits
2 Branches
79 Tags
29 MiB
 
 
 
 
 
 
Tree: 55b519b42a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '55b519b42a'
${ noResults }
openiddict-core/external/NWebsec/Middleware/CspMiddleware.cs

88 lines
2.7 KiB
Raw Blame History

// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information.
using System;
using System.Threading.Tasks;
using Microsoft.AspNet.Builder;
using Microsoft.AspNet.Http;
using NWebsec.Core.Extensions;
using NWebsec.Core.HttpHeaders;
using NWebsec.Core.HttpHeaders.Configuration;
using NWebsec.Middleware.Helpers;
namespace NWebsec.Middleware.Middleware
{
public class CspMiddleware
{
private readonly ICspConfiguration _config;
private readonly HeaderResult _headerResult;
private readonly bool _reportOnly;
private readonly RequestDelegate _next;
public CspMiddleware(RequestDelegate next, ICspConfiguration options, bool reportOnly)
{
_next = next;
_config = options;
_reportOnly = reportOnly;
var headerGenerator = new HeaderGenerator();
_headerResult = headerGenerator.CreateCspResult(_config, reportOnly);
}
public async Task Invoke(HttpContext context)
{
if (HandleUpgradeInsecureRequest(context))
{
return;
}
SetCspHeaders(context);
if (_next != null)
{
await _next(context);
}
}
internal bool HandleUpgradeInsecureRequest(HttpContext context)
{
//Already on https.
if (context.Request.IsHttps) return false;
//CSP upgrade-insecure-requests is disabled
if (!_config.Enabled || !_config.UpgradeInsecureRequestsDirective.Enabled) return false;
if (!CspUpgradeHelper.UaSupportsUpgradeInsecureRequests(context)) return false;
var upgradeUri = new UriBuilder($"https://{context.Request.Host}")
{
Port = _config.UpgradeInsecureRequestsDirective.HttpsPort,
Path = context.Request.PathBase + context.Request.Path
};
//Redirect
context.Response.Headers["Vary"] = "Upgrade-Insecure-Requests";
context.Response.Headers["Location"] = upgradeUri.Uri.AbsoluteUri;
context.Response.StatusCode = 307;
return true;
}
internal void SetCspHeaders(HttpContext context)
{
if (_reportOnly)
{
context.GetNWebsecContext().CspReportOnly = _config;
}
else
{
context.GetNWebsecContext().Csp = _config;
}
if (_headerResult.Action == HeaderResult.ResponseAction.Set)
{
context.Response.Headers[_headerResult.Name] = _headerResult.Value;
}
}
}
}