Add support for 'report-sample' and 'none' together

andrewlock · Sep 29, 2023 · 08a5e95 · 08a5e95
1 parent 3345b1e
commit 08a5e95
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 1 deletion.
diff --git a/...Escapades.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/CspDirectiveBuilder.cs b/...Escapades.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/CspDirectiveBuilder.cs
@@ -42,12 +42,19 @@ public CspDirectiveBuilder(string directive) : base(directive)
     /// </summary>
     public bool BlockResources { get; set; } = false;
 
+    /// <summary>
+    /// If true, adds the 'report-sample' to the directive.
+    /// </summary>
+    internal bool MustReportSample { get; set; }
+
     /// <inheritdoc />
     internal override Func<HttpContext, string> CreateBuilder()
     {
         if (BlockResources)
         {
-            return ctx => GetPolicy("'none'");
+            return MustReportSample
+                ? ctx => GetPolicy("'report-sample' 'none'")
+                : ctx => GetPolicy("'none'");
         }
 
         var sources = string.Join(Separator, Sources);

diff --git a/...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceAttrDirectiveBuilder.cs b/...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceAttrDirectiveBuilder.cs
@@ -24,6 +24,7 @@ public ScriptSourceAttrDirectiveBuilder() : base("script-src-attr")
     /// <returns>The CSP builder for method chaining</returns>
     public ScriptSourceAttrDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/....AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceDirectiveBuilder.cs b/....AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceDirectiveBuilder.cs
@@ -20,6 +20,7 @@ public ScriptSourceDirectiveBuilder() : base("script-src")
     /// <returns>The CSP builder for method chaining</returns>
     public ScriptSourceDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceElemDirectiveBuilder.cs b/...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceElemDirectiveBuilder.cs
@@ -24,6 +24,7 @@ public ScriptSourceElemDirectiveBuilder() : base("script-src-elem")
     /// <returns>The CSP builder for method chaining</returns>
     public ScriptSourceElemDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceAttrDirectiveBuilder.cs b/...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceAttrDirectiveBuilder.cs
@@ -22,6 +22,7 @@ public StyleSourceAttrDirectiveBuilder() : base("style-src-attr")
     /// <returns>The CSP builder for method chaining</returns>
     public StyleSourceAttrDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/...s.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceDirectiveBuilder.cs b/...s.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceDirectiveBuilder.cs
@@ -18,6 +18,7 @@ public StyleSourceDirectiveBuilder() : base("style-src")
     /// <returns>The CSP builder for method chaining</returns>
     public StyleSourceDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceElemDirectiveBuilder.cs b/...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceElemDirectiveBuilder.cs
@@ -21,6 +21,7 @@ public StyleSourceElemDirectiveBuilder() : base("style-src-elem")
     /// <returns>The CSP builder for method chaining</returns>
     public StyleSourceElemDirectiveBuilder ReportSample()
     {
+        MustReportSample = true;
         Sources.Add("'report-sample'");
         return this;
     }

diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CspBuilderTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CspBuilderTests.cs
@@ -215,6 +215,36 @@ public void Build_AddSrciptSrc_WhenAddsNonce_ConstantValueThrowsInvalidOperation
             })
             .ShouldThrow<InvalidOperationException>();
     }
+    [Theory]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    [InlineData(true, true)]
+    public void Build_AddSrciptSrc_ReportSampleAndNone_ShouldAllowBoth(bool reportSample, bool none)
+    {
+        var builder = new CspBuilder();
+        var src = builder.AddScriptSrc();
+        if (reportSample)
+        {
+            src.ReportSample();
+        }
+
+        if (none)
+        {
+            src.None();
+        }
+
+        var expected = (reportSample, none) switch
+        {
+            (true, false) => "script-src 'report-sample'",
+            (false, true) => "script-src 'none'",
+            (true, true) => "script-src 'report-sample' 'none'",
+            _ => throw new InvalidOperationException(),
+        };
+
+        var result = builder.Build();
+
+        result.ConstantValue.Should().Be(expected);
+    }
 
     [Fact]
     public void Build_AddSrciptSrc_WhenDoesntAddNonce_BuilderThrowsInvalidOperation()