use nwebsec on SampleMvc to emit CSP headers

stevenna · May 30, 2019 · f9427d3 · f9427d3
1 parent 8545f96
commit f9427d3
Show file tree

Hide file tree

Showing 7 changed files with 852 additions and 8 deletions.
diff --git a/Samples/SampleMvcApplication/NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd b/Samples/SampleMvcApplication/NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd
diff --git a/Samples/SampleMvcApplication/SampleMvcApplication.csproj b/Samples/SampleMvcApplication/SampleMvcApplication.csproj
@@ -42,11 +42,21 @@
     <Reference Include="Newtonsoft.Json, Version=11.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
       <HintPath>..\..\packages\Newtonsoft.Json.11.0.2\lib\net45\Newtonsoft.Json.dll</HintPath>
     </Reference>
+    <Reference Include="NWebsec, Version=5.1.1.0, Culture=neutral, PublicKeyToken=3613da5f958908a1, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NWebsec.5.1.1\lib\net45\NWebsec.dll</HintPath>
+    </Reference>
+    <Reference Include="NWebsec.Core, Version=2.1.0.0, Culture=neutral, PublicKeyToken=3613da5f958908a1, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NWebsec.Core.2.1.0\lib\net45\NWebsec.Core.dll</HintPath>
+    </Reference>
+    <Reference Include="NWebsec.Mvc, Version=5.1.1.0, Culture=neutral, PublicKeyToken=3613da5f958908a1, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\NWebsec.Mvc.5.1.1\lib\net45\NWebsec.Mvc.dll</HintPath>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.Data" />
     <Reference Include="System.Data.DataSetExtensions" />
     <Reference Include="System.Data.Entity" />
     <Reference Include="System.Drawing" />
+    <Reference Include="System.Security" />
     <Reference Include="System.Web.DynamicData" />
     <Reference Include="System.Web.Entity" />
     <Reference Include="System.Web.ApplicationServices" />
@@ -126,6 +136,9 @@
     <Content Include="Content\bootstrap.css.map" />
     <Content Include="App_Data\Sustainsys.Saml2.Tests.pfx" />
     <Content Include="App_Data\stubidp.sustainsys.com.cer" />
+    <None Include="NWebsecConfig\HttpHeaderSecurityModuleConfig.xsd">
+      <SubType>Designer</SubType>
+    </None>
     <None Include="Scripts\jquery-1.10.2.intellisense.js" />
     <None Include="Scripts\jquery-2.1.1.intellisense.js" />
     <Content Include="Scripts\jquery-2.1.1.js" />

diff --git a/Samples/SampleMvcApplication/Views/Shared/_Layout.cshtml b/Samples/SampleMvcApplication/Views/Shared/_Layout.cshtml
@@ -1,4 +1,5 @@
-<!DOCTYPE html>
+@using NWebsec.Mvc.HttpHeaders.Csp
+<!DOCTYPE html>
 <html>
 <head>
     <meta charset="utf-8" />
@@ -39,8 +40,8 @@
         </footer>
     </div>
 
-    @Scripts.Render("~/bundles/jquery")
-    @Scripts.Render("~/bundles/bootstrap")
+    @Scripts.RenderFormat("<script src='{0}'" + @Html.CspScriptNonce() + "></script>", "~/bundles/jquery")
+    @Scripts.RenderFormat("<script src='{0}'" + @Html.CspScriptNonce() + "></script>", "~/bundles/bootstrap")
     @RenderSection("scripts", required: false)
 </body>
 </html>
diff --git a/Samples/SampleMvcApplication/Web.config b/Samples/SampleMvcApplication/Web.config
@@ -8,6 +8,10 @@
     <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
     <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
     <section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2"/>
+    <sectionGroup name="nwebsec">
+      <!-- For information on how to configure NWebsec please visit: https://docs.nwebsec.com/ -->
+      <section name="httpHeaderSecurityModule" type="NWebsec.Modules.Configuration.HttpHeaderSecurityConfigurationSection, NWebsec" requirePermission="false" />
+    </sectionGroup>
   </configSections>
   <appSettings>
     <add key="webpages:Version" value="3.0.0.0"/>
@@ -25,15 +29,28 @@
   -->
   <system.web>
     <compilation debug="true" targetFramework="4.7"/>
-    <httpRuntime targetFramework="4.5"/>
+    <httpRuntime targetFramework="4.5" enableVersionHeader="false" />
     <authentication mode="Forms">
       <forms loginUrl="~/Saml2/SignIn"/>
     </authentication>
   </system.web>
   <system.webServer>
     <modules>
       <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/>
+      <add name="NWebsecHttpHeaderSecurityModule" type="NWebsec.Modules.HttpHeaderSecurityModule, NWebsec" />
     </modules>
+    <httpProtocol>
+      <customHeaders>
+        <clear />
+      </customHeaders>
+    </httpProtocol>
+    <security>
+      <requestFiltering>
+        <hiddenSegments>
+          <add segment="NWebsecConfig" />
+        </hiddenSegments>
+      </requestFiltering>
+    </security>
   </system.webServer>
   <sustainsys.saml2 entityId="http://localhost:2181/Saml2" returnUrl="http://localhost:2181/" discoveryServiceUrl="http://localhost:52071/DiscoveryService">
     <identityProviders>
@@ -89,4 +106,28 @@
       </dependentAssembly>
     </assemblyBinding>
   </runtime>
+  <nwebsec>
+    <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
+      <securityHttpHeaders>
+        <x-Frame-Options policy="Deny"/>
+        <x-Content-Type-Options enabled="true" />
+        <content-Security-Policy enabled="true">
+          <default-src self="true"/>
+          <script-src self="true" strictDynamic="true">
+            <!--the auto-posting javascript generated when HttpPost binding is in use-->
+            <add source="sha256-P3ctnFLM5WKMitbWbZPkh7TsbhvCPtdF7mlwMUv2pgc="/>
+          </script-src>
+          <style-src unsafeInline="false" self="true" />
+          <img-src self="true">
+          </img-src>
+          <object-src none="true" />
+          <media-src none="true" />
+          <frame-src none="true" />
+          <font-src self="true" />
+          <connect-src none="true" />
+          <frame-ancestors none="true" />
+        </content-Security-Policy>
+      </securityHttpHeaders>
+    </httpHeaderSecurityModule>
+  </nwebsec>
 </configuration>
diff --git a/Samples/SampleMvcApplication/packages.config b/Samples/SampleMvcApplication/packages.config
@@ -10,6 +10,9 @@
   <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
   <package id="Modernizr" version="2.8.3" targetFramework="net45" />
   <package id="Newtonsoft.Json" version="11.0.2" targetFramework="net461" />
+  <package id="NWebsec" version="5.1.1" targetFramework="net47" />
+  <package id="NWebsec.Core" version="2.1.0" targetFramework="net47" />
+  <package id="NWebsec.Mvc" version="5.1.1" targetFramework="net47" />
   <package id="Respond" version="1.4.2" targetFramework="net45" />
   <package id="WebGrease" version="1.6.0" targetFramework="net45" />
 </packages>
diff --git a/Sustainsys.Saml2/WebSSO/Saml2PostBinding.cs b/Sustainsys.Saml2/WebSSO/Saml2PostBinding.cs
@@ -93,7 +93,7 @@ public override CommandResult Bind(ISaml2Message message, ILoggerAdapter logger)
 <!DOCTYPE html PUBLIC ""-//W3C//DTD XHTML 1.1//EN""
 ""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"">
 <html xmlns=""http://www.w3.org/1999/xhtml"" xml:lang=""en"">
-<body onload=""document.forms[0].submit()"">
+<body>
 <noscript>
 <p>
 <strong>Note:</strong> Since your browser does not support JavaScript, 
@@ -111,6 +111,9 @@ you must press the Continue button once to proceed.
 </div>
 </noscript>
 </form>
+<script type=""text/javascript"">
+document.forms[0].submit();
+</script>
 </body>
 </html>";
     }

diff --git a/Tests/Tests.Shared/WebSSO/Saml2PostBindingTests.cs b/Tests/Tests.Shared/WebSSO/Saml2PostBindingTests.cs
@@ -133,7 +133,7 @@ public void Saml2PostBinding_Bind()
 <!DOCTYPE html PUBLIC ""-//W3C//DTD XHTML 1.1//EN""
 ""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"">
 <html xmlns=""http://www.w3.org/1999/xhtml"" xml:lang=""en"">
-<body onload=""document.forms[0].submit()"">
+<body>
 <noscript>
 <p>
 <strong>Note:</strong> Since your browser does not support JavaScript, 
@@ -151,6 +151,9 @@ you must press the Continue button once to proceed.
 </div>
 </noscript>
 </form>
+<script type=""text/javascript"">
+document.forms[0].submit();
+</script>
 </body>
 </html>"
             };
@@ -178,7 +181,7 @@ public void Saml2PostBinding_Bind_WithRelayState()
 <!DOCTYPE html PUBLIC ""-//W3C//DTD XHTML 1.1//EN""
 ""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"">
 <html xmlns=""http://www.w3.org/1999/xhtml"" xml:lang=""en"">
-<body onload=""document.forms[0].submit()"">
+<body>
 <noscript>
 <p>
 <strong>Note:</strong> Since your browser does not support JavaScript, 
@@ -197,6 +200,9 @@ you must press the Continue button once to proceed.
 </div>
 </noscript>
 </form>
+<script type=""text/javascript"">
+document.forms[0].submit();
+</script>
 </body>
 </html>"
             };
@@ -229,7 +235,7 @@ public void Saml2PostBinding_Bind_SignsXml()
 <!DOCTYPE html PUBLIC ""-//W3C//DTD XHTML 1.1//EN""
 ""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"">
 <html xmlns=""http://www.w3.org/1999/xhtml"" xml:lang=""en"">
-<body onload=""document.forms[0].submit()"">
+<body>
 <noscript>
 <p>
 <strong>Note:</strong> Since your browser does not support JavaScript, 
@@ -248,6 +254,9 @@ you must press the Continue button once to proceed.
 </div>
 </noscript>
 </form>
+<script type=""text/javascript"">
+document.forms[0].submit();
+</script>
 </body>
 </html>"
             };