From dafcfcf62e269ded1024688b35c3574bfd5a1329 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 20:57:21 +0200 Subject: [PATCH 01/10] Adding some further CDNs to the permitted ones in the CSP headers --- .../Security/CdnContentSecurityPolicyProvider.cs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index 543f7ddc..6d4b5d98 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -19,12 +19,13 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider /// public static ConcurrentBag PermittedStyleSources { get; } = new( [ - "fonts.googleapis.com", - "fonts.gstatic.com", // #spell-check-ignore-line "cdn.jsdelivr.net", // #spell-check-ignore-line - "fastly.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line + "fastly.jsdelivr.net", // #spell-check-ignore-line + "fonts.googleapis.com", + "fonts.gstatic.com", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line + "unpkg.com", ]); /// @@ -37,6 +38,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "code.jquery.com", "fastly.jsdelivr.net", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line + "unpkg.com", ]); /// @@ -45,6 +47,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider public static ConcurrentBag PermittedFontSources { get; } = new( [ "cdn.jsdelivr.net", // #spell-check-ignore-line + "cdnjs.cloudflare.com", // #spell-check-ignore-line "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line ]); From db4cb088781cd06772601093bd3ae0a4c9aba535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 22:54:20 +0200 Subject: [PATCH 02/10] Code styling --- .../Security/CdnContentSecurityPolicyProvider.cs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index 6d4b5d98..bbc41fc3 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -17,7 +17,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider /// /// Gets the sources that will be added to the directive. /// - public static ConcurrentBag PermittedStyleSources { get; } = new( + public static ConcurrentBag PermittedStyleSources { get; } = [ "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line @@ -26,12 +26,12 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "fonts.gstatic.com", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line "unpkg.com", - ]); + ]; /// /// Gets the sources that will be added to the directive. /// - public static ConcurrentBag PermittedScriptSources { get; } = new( + public static ConcurrentBag PermittedScriptSources { get; } = [ "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line @@ -39,18 +39,18 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "fastly.jsdelivr.net", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line "unpkg.com", - ]); + ]; /// /// Gets the sources that will be added to the directive. /// - public static ConcurrentBag PermittedFontSources { get; } = new( + public static ConcurrentBag PermittedFontSources { get; } = [ "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line - ]); + ]; /// /// Gets the sources that will be added to the directive. From bd895b2cf724087759f3708297dc771449ef8bd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 22:54:45 +0200 Subject: [PATCH 03/10] Adding CSP provider for X (Twitter) --- .../Docs/Security.md | 1 + .../ContentSecurityPolicyDirectives.cs | 14 ++++++++--- .../XWidgetsContentSecurityPolicyProvider.cs | 25 +++++++++++++++++++ .../Docs/Security.md | 10 +++++--- 4 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md index 6bf831d8..f48e316b 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md @@ -8,6 +8,7 @@ - `EmbeddedMediaContentSecurityPolicyProvider`: An optional policy provider that permits additional host names used by usual media embedding sources (like YouTube) for the `frame-scr` directive. - `IContentSecurityPolicyProvider`: Interface for services that update the dictionary that will be turned into the `Content-Security-Policy` header value. - `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection. +- `XWidgetsContentSecurityPolicyProvider`: An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social widgets. There is a similar section for security extensions related to Orchard Core [here](../../Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md). diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/ContentSecurityPolicyDirectives.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/ContentSecurityPolicyDirectives.cs index 81c0c321..8ae1cd92 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/ContentSecurityPolicyDirectives.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/ContentSecurityPolicyDirectives.cs @@ -1,8 +1,9 @@ -namespace Lombiq.HelpfulLibraries.AspNetCore.Security; +namespace Lombiq.HelpfulLibraries.AspNetCore.Security; /// -/// The Content-Security-Policy directives defined in the W3C -/// Recommendation. +/// The Content-Security-Policy directives defined in the W3C +/// Recommendation (also see the MDN page). /// public static class ContentSecurityPolicyDirectives { @@ -15,13 +16,20 @@ public static class ContentSecurityPolicyDirectives public const string FrameAncestors = "frame-ancestors"; public const string FrameSrc = "frame-src"; public const string ImgSrc = "img-src"; + public const string ManifestSrc = "manifest-src"; public const string MediaSrc = "media-src"; public const string ObjectSrc = "object-src"; public const string PluginTypes = "plugin-types"; + public const string ReportTo = "report-to"; public const string ReportUri = "report-uri"; public const string Sandbox = "sandbox"; public const string ScriptSrc = "script-src"; + public const string ScriptSrcAttr = "script-src-attr"; + public const string ScriptSrcElem = "script-src-elem"; public const string StyleSrc = "style-src"; + public const string StyleSrcAttr = "style-src-attr"; + public const string UpgradeInsecureRequests = "upgrade-insecure-requests"; + public const string StyleSrcElem = "style-src-elem"; public const string WorkerSrc = "worker-src"; public static class CommonValues diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs new file mode 100644 index 00000000..02a12cf9 --- /dev/null +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs @@ -0,0 +1,25 @@ +using Microsoft.AspNetCore.Http; +using System.Collections.Generic; +using System.Threading.Tasks; +using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives; + +namespace Lombiq.HelpfulLibraries.AspNetCore.Security; + +/// +/// An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social +/// widgets. +/// +public class XWidgetsContentSecurityPolicyProvider : IContentSecurityPolicyProvider +{ + private const string PlatformDotTwitter = "platform.twitter.com"; + + public ValueTask UpdateAsync(IDictionary securityPolicies, HttpContext context) + { + CspHelper.MergeValues(securityPolicies, FrameSrc, PlatformDotTwitter); + CspHelper.MergeValues(securityPolicies, ImgSrc, PlatformDotTwitter, "syndication.twitter.com"); + CspHelper.MergeValues(securityPolicies, StyleSrc, PlatformDotTwitter); + CspHelper.MergeValues(securityPolicies, ScriptSrc, PlatformDotTwitter); + + return ValueTask.CompletedTask; + } +} diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md index 56e3e66d..62d20897 100644 --- a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md @@ -1,13 +1,13 @@ # Lombiq Helpful Libraries - Orchard Core Libraries - Security -## Extensions - -- `SecurityOrchardCoreBuilderExtensions`: Adds `BuilderExtensions` extensions. For example, the `ConfigureSecurityDefaultsWithStaticFiles()` that provides some default security configuration for Orchard Core. - There is a similar section for security extensions related to ASP.NET Core [here](../../Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md). All of the services mentioned in both documents are included in the `ConfigureSecurityDefaults()` and `ConfigureSecurityDefaultsWithStaticFiles()` extensions. These extensions provide additional security and can resolve issues reported by the [ZAP security scanner](https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md). +## Extensions + +- `SecurityOrchardCoreBuilderExtensions`: Adds `BuilderExtensions` extensions. For example, the `ConfigureSecurityDefaultsWithStaticFiles()` that provides some default security configuration for Orchard Core. + ## Attributes - `ContentSecurityPolicyAttribute`: You can add the `[ContentSecurityPolicy(value, name)]` attribute to any MVC action's method. This way you can grant per-action content security policy permissions, right there in the controller. These attributes are handled by the `ContentSecurityPolicyAttributeContentSecurityPolicyProvider`. @@ -19,3 +19,5 @@ These extensions provide additional security and can resolve issues reported by - `ReCaptchaContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using ReCaptcha captchas. Is automatically enabled when the `OrchardCore.ReCaptcha` feature is enabled. - `ResourceManagerContentSecurityPolicyProvider`: An abstract base class for implementing content security policy providers that trigger when the specified resource is included. - `VueContentSecurityPolicyProvider`: An implementation of `ResourceManagerContentSecurityPolicyProvider` that adds `script-src: unsafe-eval` permission to the page if it uses the `vuejs` resource. This includes any Vue.js app in stock Orchard Core, apps you create in your view files, and SFCs created with the Lombiq.VueJs module. This is necessary, because without `unsafe-eval` Vue.js only supports templates that are pre-compiled into JS code. + +You can configure optional or custom content security policy providers by implementing the `IContentSecurityPolicyProvider` interface and registering them in the DI container with `AddContentSecurityPolicyProvider()`, e.g. `services.AddContentSecurityPolicyProvider();` in a `Startup` class. You can also register providers for the whole app (i.e. all tenants) from the root `Program` class via `OrchardCoreBuilder.ApplicationServices`. From 484262d25427f53fc8ecd4569e3404232d006712 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 23:00:17 +0200 Subject: [PATCH 04/10] Spelling --- Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md | 2 +- .../Security/CdnContentSecurityPolicyProvider.cs | 4 ++-- .../Security/XWidgetsContentSecurityPolicyProvider.cs | 2 +- Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md index f48e316b..8fe3b642 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md @@ -8,7 +8,7 @@ - `EmbeddedMediaContentSecurityPolicyProvider`: An optional policy provider that permits additional host names used by usual media embedding sources (like YouTube) for the `frame-scr` directive. - `IContentSecurityPolicyProvider`: Interface for services that update the dictionary that will be turned into the `Content-Security-Policy` header value. - `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection. -- `XWidgetsContentSecurityPolicyProvider`: An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social widgets. +- `XWidgetsContentSecurityPolicyProvider`: An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social widgets. There is a similar section for security extensions related to Orchard Core [here](../../Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md). diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index bbc41fc3..7822ef06 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -25,7 +25,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line - "unpkg.com", + "unpkg.com", // #spell-check-ignore-line ]; /// @@ -38,7 +38,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "code.jquery.com", "fastly.jsdelivr.net", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line - "unpkg.com", + "unpkg.com", // #spell-check-ignore-line ]; /// diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs index 02a12cf9..0af51e12 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs @@ -9,7 +9,7 @@ namespace Lombiq.HelpfulLibraries.AspNetCore.Security; /// An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social /// widgets. /// -public class XWidgetsContentSecurityPolicyProvider : IContentSecurityPolicyProvider +public class XWidgetsContentSecurityPolicyProvider : IContentSecurityPolicyProvider // #spell-check-ignore-line { private const string PlatformDotTwitter = "platform.twitter.com"; diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md index 62d20897..a6cc3cac 100644 --- a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md @@ -20,4 +20,4 @@ These extensions provide additional security and can resolve issues reported by - `ResourceManagerContentSecurityPolicyProvider`: An abstract base class for implementing content security policy providers that trigger when the specified resource is included. - `VueContentSecurityPolicyProvider`: An implementation of `ResourceManagerContentSecurityPolicyProvider` that adds `script-src: unsafe-eval` permission to the page if it uses the `vuejs` resource. This includes any Vue.js app in stock Orchard Core, apps you create in your view files, and SFCs created with the Lombiq.VueJs module. This is necessary, because without `unsafe-eval` Vue.js only supports templates that are pre-compiled into JS code. -You can configure optional or custom content security policy providers by implementing the `IContentSecurityPolicyProvider` interface and registering them in the DI container with `AddContentSecurityPolicyProvider()`, e.g. `services.AddContentSecurityPolicyProvider();` in a `Startup` class. You can also register providers for the whole app (i.e. all tenants) from the root `Program` class via `OrchardCoreBuilder.ApplicationServices`. +You can configure optional or custom content security policy providers by implementing the `IContentSecurityPolicyProvider` interface and registering them in the DI container with `AddContentSecurityPolicyProvider()`, e.g. `services.AddContentSecurityPolicyProvider();` in a `Startup` class. You can also register providers for the whole app (i.e. all tenants) from the root `Program` class via `OrchardCoreBuilder.ApplicationServices`. From 68b1aec56b601156f4e3eb7d00353ccce4598af7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 23:11:07 +0200 Subject: [PATCH 05/10] No need for separate XWidgets spelling ignore now --- Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md | 2 +- .../Security/XWidgetsContentSecurityPolicyProvider.cs | 2 +- Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md index 8fe3b642..f48e316b 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md @@ -8,7 +8,7 @@ - `EmbeddedMediaContentSecurityPolicyProvider`: An optional policy provider that permits additional host names used by usual media embedding sources (like YouTube) for the `frame-scr` directive. - `IContentSecurityPolicyProvider`: Interface for services that update the dictionary that will be turned into the `Content-Security-Policy` header value. - `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection. -- `XWidgetsContentSecurityPolicyProvider`: An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social widgets. +- `XWidgetsContentSecurityPolicyProvider`: An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social widgets. There is a similar section for security extensions related to Orchard Core [here](../../Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md). diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs index 0af51e12..02a12cf9 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/XWidgetsContentSecurityPolicyProvider.cs @@ -9,7 +9,7 @@ namespace Lombiq.HelpfulLibraries.AspNetCore.Security; /// An optional content security policy provider that provides configuration to allow the usage of X (Twitter) social /// widgets. /// -public class XWidgetsContentSecurityPolicyProvider : IContentSecurityPolicyProvider // #spell-check-ignore-line +public class XWidgetsContentSecurityPolicyProvider : IContentSecurityPolicyProvider { private const string PlatformDotTwitter = "platform.twitter.com"; diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md index a6cc3cac..62d20897 100644 --- a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md +++ b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md @@ -20,4 +20,4 @@ These extensions provide additional security and can resolve issues reported by - `ResourceManagerContentSecurityPolicyProvider`: An abstract base class for implementing content security policy providers that trigger when the specified resource is included. - `VueContentSecurityPolicyProvider`: An implementation of `ResourceManagerContentSecurityPolicyProvider` that adds `script-src: unsafe-eval` permission to the page if it uses the `vuejs` resource. This includes any Vue.js app in stock Orchard Core, apps you create in your view files, and SFCs created with the Lombiq.VueJs module. This is necessary, because without `unsafe-eval` Vue.js only supports templates that are pre-compiled into JS code. -You can configure optional or custom content security policy providers by implementing the `IContentSecurityPolicyProvider` interface and registering them in the DI container with `AddContentSecurityPolicyProvider()`, e.g. `services.AddContentSecurityPolicyProvider();` in a `Startup` class. You can also register providers for the whole app (i.e. all tenants) from the root `Program` class via `OrchardCoreBuilder.ApplicationServices`. +You can configure optional or custom content security policy providers by implementing the `IContentSecurityPolicyProvider` interface and registering them in the DI container with `AddContentSecurityPolicyProvider()`, e.g. `services.AddContentSecurityPolicyProvider();` in a `Startup` class. You can also register providers for the whole app (i.e. all tenants) from the root `Program` class via `OrchardCoreBuilder.ApplicationServices`. From ed07555d36837db3cb8431e257350748c18c5340 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 23:31:45 +0200 Subject: [PATCH 06/10] Adding fonts.cdnfonts.com to the CSP CDNs --- .../Security/CdnContentSecurityPolicyProvider.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index 7822ef06..12b7ffdd 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -22,6 +22,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line "fastly.jsdelivr.net", // #spell-check-ignore-line + "fonts.cdnfonts.com", "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line @@ -48,6 +49,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider [ "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line + "fonts.cdnfonts.com", "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line ]; From 4ebe5cee80e12c468efee19ecff3e1bb9abff8ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 8 Jul 2024 23:41:40 +0200 Subject: [PATCH 07/10] Spelling --- .../Security/CdnContentSecurityPolicyProvider.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index 12b7ffdd..fb6a16cf 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -22,7 +22,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line "fastly.jsdelivr.net", // #spell-check-ignore-line - "fonts.cdnfonts.com", + "fonts.cdnfonts.com", // #spell-check-ignore-line "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line @@ -49,7 +49,7 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider [ "cdn.jsdelivr.net", // #spell-check-ignore-line "cdnjs.cloudflare.com", // #spell-check-ignore-line - "fonts.cdnfonts.com", + "fonts.cdnfonts.com", // #spell-check-ignore-line "fonts.googleapis.com", "fonts.gstatic.com", // #spell-check-ignore-line ]; From 4e5fa60df66f2d4d5a3116837a06228fdff5c01e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Sun, 14 Jul 2024 21:03:56 +0200 Subject: [PATCH 08/10] Adding ability to always enable GoogleAnalyticsContentSecurityPolicyProvider --- .../Security/GoogleAnalyticsContentSecurityPolicyProvider.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs index ed4e96b7..c29ca7b3 100644 --- a/Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs @@ -13,9 +13,11 @@ public class GoogleAnalyticsContentSecurityPolicyProvider : IContentSecurityPoli { private const string HttpContextItemKey = nameof(GoogleAnalyticsContentSecurityPolicyProvider); + public static bool AlwaysEnabled { get; set; } + public async ValueTask UpdateAsync(IDictionary securityPolicies, HttpContext context) { - var googleAnalyticsIsEnabled = context.Items.ContainsKey(HttpContextItemKey); + var googleAnalyticsIsEnabled = AlwaysEnabled || context.Items.ContainsKey(HttpContextItemKey); if (!googleAnalyticsIsEnabled) { From 636bbf4ac7f56aae1e0546e23e2ad6f8fc2dadb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Sun, 14 Jul 2024 22:39:43 +0200 Subject: [PATCH 09/10] Add configurable PermittedImgSources to CdnContentSecurityPolicyProvider too --- .../Security/CdnContentSecurityPolicyProvider.cs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs index fb6a16cf..bd9b7a8a 100644 --- a/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs +++ b/Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs @@ -59,6 +59,11 @@ public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider /// public static ConcurrentBag PermittedFrameSources { get; } = []; + /// + /// Gets the sources that will be added to the directive. + /// + public static ConcurrentBag PermittedImgSources { get; } = []; + public ValueTask UpdateAsync(IDictionary securityPolicies, HttpContext context) { var any = false; @@ -87,6 +92,12 @@ public ValueTask UpdateAsync(IDictionary securityPolicies, HttpC CspHelper.MergeValues(securityPolicies, FrameSrc, PermittedFrameSources); } + if (!PermittedImgSources.IsEmpty) + { + any = true; + CspHelper.MergeValues(securityPolicies, ImgSrc, PermittedImgSources); + } + if (any) { var allPermittedSources = PermittedStyleSources.Concat(PermittedScriptSources).Concat(PermittedFontSources); From cbe40978f1624c6d2f88f5fde43d04e3bdab1ae9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 15 Jul 2024 00:09:41 +0200 Subject: [PATCH 10/10] Updating xUnit to latest --- .../Lombiq.HelpfulLibraries.Tests.csproj | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lombiq.HelpfulLibraries.Tests/Lombiq.HelpfulLibraries.Tests.csproj b/Lombiq.HelpfulLibraries.Tests/Lombiq.HelpfulLibraries.Tests.csproj index a13da007..834c188c 100644 --- a/Lombiq.HelpfulLibraries.Tests/Lombiq.HelpfulLibraries.Tests.csproj +++ b/Lombiq.HelpfulLibraries.Tests/Lombiq.HelpfulLibraries.Tests.csproj @@ -17,7 +17,7 @@ - + all runtime; build; native; contentfiles; analyzers; buildtransitive @@ -31,7 +31,7 @@ - +