Merge pull request #73 from juunas11/feature/5.0

Feature/5.0

LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Joonas Westlin
+Copyright (c) 2023 Joonas Westlin
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

src/Joonasw.AspNetCore.SecurityHeaders/Csp/Builder/CspScriptsBuilder.cs

@@ -37,23 +37,23 @@ public CspScriptsBuilder FromSelf()
         /// <returns>The builder for call chaining</returns>
         public CspScriptsBuilder From(string uri)
         {
-            if(uri == null) throw new ArgumentNullException(nameof(uri));
-            if(uri.Length == 0) throw new ArgumentException("Uri can't be empty", nameof(uri));
+            if (uri == null) throw new ArgumentNullException(nameof(uri));
+            if (uri.Length == 0) throw new ArgumentException("Uri can't be empty", nameof(uri));
 
             _options.AllowedSources.Add(uri);
             return this;
         }
 
         /// <summary>
-        /// Allow JavaScript with the given hash
+        /// Allow JavaScript with the given
         /// <paramref name="hash"/>.
         /// </summary>
-        /// <param name="hash">The URI to allow.</param>
+        /// <param name="hash">The hash to allow.</param>
         /// <returns>The builder for call chaining</returns>
         public CspScriptsBuilder WithHash(string hash)
         {
             if (hash == null) throw new ArgumentNullException(nameof(hash));
-            if(hash.Length == 0) throw new ArgumentException("Hash can't be empty", nameof(hash));
+            if (hash.Length == 0) throw new ArgumentException("Hash can't be empty", nameof(hash));
 
             _options.AllowedHashes.Add(hash);
             return this;

src/Joonasw.AspNetCore.SecurityHeaders/Csp/Builder/CspStylesBuilder.cs

@@ -48,12 +48,12 @@ public CspStylesBuilder From(string uri)
         /// Allow CSS with the given
         /// <paramref name="hash"/>.
         /// </summary>
-        /// <param name="hash">The Hash to allow.</param>
+        /// <param name="hash">The hash to allow.</param>
         /// <returns>The builder for call chaining</returns>
         public CspStylesBuilder WithHash(string hash)
         {
             if (hash == null) throw new ArgumentNullException(nameof(hash));
-            if(hash.Length == 0) throw new ArgumentException("Hash can't be empty", nameof(hash));
+            if (hash.Length == 0) throw new ArgumentException("Hash can't be empty", nameof(hash));
 
             _options.AllowedHashes.Add(hash);
             return this;

src/Joonasw.AspNetCore.SecurityHeaders/Csp/Options/CspScriptSrcOptions.cs

@@ -6,8 +6,11 @@ namespace Joonasw.AspNetCore.SecurityHeaders.Csp.Options
     public class CspScriptSrcOptions : CspSrcOptionsBase
     {
         public bool AddNonce { get; set; }
+
         public bool AllowUnsafeEval { get; set; }
+
         public bool AllowUnsafeInline { get; set; }
+
         /// <summary>
         /// Allow scripts that have been loaded with
         /// a trusted hash/nonce to load additional
@@ -17,36 +20,54 @@ public class CspScriptSrcOptions : CspSrcOptionsBase
         /// on all of them.
         /// </summary>
         public bool StrictDynamic { get; set; }
+
+        /// <summary>
+        /// Collection of hashes that can be loaded.
+        /// </summary>
+        public ICollection<string> AllowedHashes { get; set; }
+
         public CspScriptSrcOptions()
             : base("script-src")
         {
+            AllowedHashes = new List<string>();
         }
 
         protected override ICollection<string> GetParts(ICspNonceService nonceService)
         {
             ICollection<string> parts = base.GetParts(nonceService);
+
+            foreach (string allowedHash in AllowedHashes)
+            {
+                parts.Add($"'{allowedHash}'");
+            }
+
             if (AddNonce)
             {
-                if(nonceService == null)
+                if (nonceService == null)
                 {
                     throw new ArgumentNullException(
                         nameof(nonceService),
                         "Nonce service was not found, it needs to be added to the service collection");
                 }
+
                 parts.Add($"'nonce-{nonceService.GetNonce()}'");
             }
+
             if (AllowUnsafeEval)
             {
                 parts.Add("'unsafe-eval'");
             }
+
             if (AllowUnsafeInline)
             {
                 parts.Add("'unsafe-inline'");
             }
+
             if (StrictDynamic)
             {
                 parts.Add("'strict-dynamic'");
             }
+
             return parts;
         }
     }

src/Joonasw.AspNetCore.SecurityHeaders/Csp/Options/CspSrcOptionsBase.cs

@@ -11,11 +11,6 @@ public abstract class CspSrcOptionsBase
         /// </summary>
         public ICollection<string> AllowedSources { get; set; }
 
-        /// <summary>
-        /// Collection of hashes that can be loaded.
-        /// </summary>
-        public ICollection<string> AllowedHashes { get; set; }
-
         /// <summary>
         /// Allow loading these resources from the same domain as the app.
         /// </summary>
@@ -41,7 +36,6 @@ protected CspSrcOptionsBase(string directiveName)
         {
             _directiveName = directiveName + " ";
             AllowedSources = new List<string>();
-            AllowedHashes = new List<string>();
         }
 
         protected virtual ICollection<string> GetParts(ICspNonceService nonceService)
@@ -75,11 +69,6 @@ protected virtual ICollection<string> GetParts(ICspNonceService nonceService)
                 {
                     parts.Add(allowedSource);
                 }
-
-                foreach (string allowedHash in AllowedHashes)
-                {
-                    parts.Add($"'{allowedHash}'");
-                }
             }
             return parts;
         }

src/Joonasw.AspNetCore.SecurityHeaders/Csp/Options/CspStyleSrcOptions.cs

@@ -6,16 +6,29 @@ namespace Joonasw.AspNetCore.SecurityHeaders.Csp.Options
     public class CspStyleSrcOptions : CspSrcOptionsBase
     {
         public bool AddNonce { get; set; }
+
         public bool AllowUnsafeInline { get; set; }
 
+        /// <summary>
+        /// Collection of hashes that can be loaded.
+        /// </summary>
+        public ICollection<string> AllowedHashes { get; set; }
+
         public CspStyleSrcOptions()
             : base("style-src")
         {
+            AllowedHashes = new List<string>();
         }
 
         protected override ICollection<string> GetParts(ICspNonceService nonceService)
         {
             ICollection<string> parts = base.GetParts(nonceService);
+
+            foreach (string allowedHash in AllowedHashes)
+            {
+                parts.Add($"'{allowedHash}'");
+            }
+
             if (AddNonce)
             {
                 if (nonceService == null)
@@ -24,12 +37,15 @@ protected override ICollection<string> GetParts(ICspNonceService nonceService)
                         nameof(nonceService),
                         "Nonce service was not found, it needs to be added to the service collection");
                 }
+
                 parts.Add($"'nonce-{nonceService.GetNonce()}'");
             }
+
             if (AllowUnsafeInline)
             {
                 parts.Add("'unsafe-inline'");
             }
+
             return parts;
         }
     }

src/Joonasw.AspNetCore.SecurityHeaders/Joonasw.AspNetCore.SecurityHeaders.csproj

@@ -1,15 +1,15 @@
 <Project Sdk="Microsoft.NET.Sdk">
     <PropertyGroup>
-        <TargetFrameworks>netcoreapp3.1;net5.0;net6.0</TargetFrameworks>
-        <Version>4.0.1</Version>
+        <TargetFrameworks>net6.0;net7.0</TargetFrameworks>
+        <Version>5.0.0</Version>
         <Title>Joonasw.AspNetCore.SecurityHeaders</Title>
         <Authors>Joonas Westlin</Authors>
         <Description>Middleware for adding security headers to an ASP.NET Core application. Allows you to easily add Content Security Policy, Strict Transport Security, and Public Key Pins to an app.</Description>
         <Copyright>Copyright 2022 Joonas Westlin</Copyright>
         <GeneratePackageOnBuild>True</GeneratePackageOnBuild>
         <PackageLicenseFile>LICENSE.txt</PackageLicenseFile>
         <PackageProjectUrl>https://github.com/juunas11/aspnetcore-security-headers</PackageProjectUrl>
-        <PackageReleaseNotes>Rename UseHsts to UseStrictTransportSecurity to remove conflict with framework counterpart.</PackageReleaseNotes>
+        <PackageReleaseNotes>Remove support for .NET Core 3.1 and .NET 5, add support for .NET 7. Add AllowedHashes to CSS and JS in CSP.</PackageReleaseNotes>
         <PackageTags>aspnetcore security headers hsts hpkp csp</PackageTags>
         <RepositoryUrl>https://github.com/juunas11/aspnetcore-security-headers</RepositoryUrl>
         <!-- Source Link support -->
@@ -23,20 +23,15 @@
         <None Include="..\..\LICENSE.txt" Pack="true" PackagePath="LICENSE.txt"/>
     </ItemGroup>
     <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.2.0" />
-        <PackageReference Include="Microsoft.AspNetCore.Razor" Version="2.2.0" />
+        <FrameworkReference Include="Microsoft.AspNetCore.App" />
         <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1" PrivateAssets="All" />
     </ItemGroup>
-    <ItemGroup Condition="$(TargetFramework) == 'netcoreapp3.1'">
-        <PackageReference Include="Microsoft.Extensions.Options" Version="3.1.21" />
-        <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="3.1.21" />
-    </ItemGroup>
-    <ItemGroup Condition="$(TargetFramework) == 'net5.0'">
-        <PackageReference Include="Microsoft.Extensions.Options" Version="5.0.0" />
-        <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="5.0.0" />
-    </ItemGroup>
     <ItemGroup Condition="$(TargetFramework) == 'net6.0'">
         <PackageReference Include="Microsoft.Extensions.Options" Version="6.0.0" />
         <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="6.0.0" />
     </ItemGroup>
+    <ItemGroup Condition="$(TargetFramework) == 'net7.0'">
+        <PackageReference Include="Microsoft.Extensions.Options" Version="7.0.1" />
+        <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="7.0.0" />
+    </ItemGroup>
 </Project>

test/Joonasw.AspNetCore.SecurityHeaders.Samples/Joonasw.AspNetCore.SecurityHeaders.Samples.csproj

@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
-    <!--<TargetFramework>netcoreapp3.1</TargetFramework>-->
-    <!--<TargetFramework>net5.0</TargetFramework>-->
-    <TargetFramework>net6.0</TargetFramework>
+    <!--<TargetFramework>net6.0</TargetFramework>-->
+    <TargetFramework>net7.0</TargetFramework>
     <UserSecretsId>33ce3d09-4099-4a8e-93af-049b12b6eb90</UserSecretsId>
   </PropertyGroup>
   <ItemGroup>

test/Joonasw.AspNetCore.SecurityHeaders.Samples/Properties/launchSettings.json

@@ -15,7 +15,7 @@
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
     },
-    "WebApplication1": {
+    "Samples": {
       "commandName": "Project",
       "launchBrowser": true,
       "environmentVariables": {

test/Joonasw.AspNetCore.SecurityHeaders.Samples/Views/Shared/_Layout.cshtml

@@ -17,13 +17,16 @@
         <link rel="stylesheet" href="~/css/site.min.css" asp-append-version="true" />
     </environment>
     <script asp-add-nonce="true">
-        console.log("Test");
+        console.log("Test for nonce");
     </script>
     <style asp-add-nonce="true">
         h2 {
             font-size: 40px;
         }
     </style>
+    <script>
+        console.log("Test for hash");
+    </script>
 </head>
 <body>
     <div class="navbar navbar-inverse navbar-fixed-top">

test/Joonasw.AspNetCore.SecurityHeaders.Samples/appsettings.json

@@ -32,6 +32,9 @@
         "localhost:44342",
         "ajax.aspnetcdn.com"
       ],
+      "AllowedHashes": [
+        "sha256-MV3a0caNPWq8CgfaHwRc3OtqWiEXK6Mo0nt+/2nFwV0="
+      ]
       //"StrictDynamic": true
     },
     "Style": {

test/Joonasw.AspNetCore.SecurityHeaders.Tests/CspStylesBuilderTests.cs

@@ -40,7 +40,7 @@ public void From_AddsUrlToAllowedSources()
 
             Assert.Equal("www.google.com", options.AllowedSources.Single());
         }
-        
+
         [Fact]
         public void From_ThrowsArgumentNullException_WithNullUrl()
         {

test/Joonasw.AspNetCore.SecurityHeaders.Tests/Joonasw.AspNetCore.SecurityHeaders.Tests.csproj

@@ -1,13 +1,12 @@
 <Project Sdk="Microsoft.NET.Sdk">
     <PropertyGroup>
-        <TargetFrameworks>netcoreapp3.1;net5.0;net6.0</TargetFrameworks>
+        <TargetFrameworks>net6.0;net7.0</TargetFrameworks>
         <IsPackable>false</IsPackable>
     </PropertyGroup>
     <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0" />
-        <PackageReference Include="xunit" Version="2.4.1" />
-        <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.6.0" />
+        <PackageReference Include="xunit" Version="2.4.2" />
+        <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>