1.2.0 (#28)

* 2024-01-25 Spelling changes

* 2024-01-25 actions/checkout

* 2024-01-25 EoD

* 2024-01-26 1.2.0

* Mitigate all warnings in the build

.github/workflows/GithubActionsRelease.yml

@@ -55,15 +55,14 @@ jobs:
       shell: bash
 
     - name: Checkout repository under $GITHUB_WORKSPACE so the job can access it 🛎️
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         persist-credentials: false
 
     - name: Use dotnet
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: '7.0.x'
-        include-prerelease: true
+        dotnet-version: '8.x'
 
     - name: Build HttpSecurity.AspNet 🔧
       run: dotnet build ${{env.projectCSFB}} --configuration ${{env.buildConfiguration}} -p:Version=${{env.version}}

.github/workflows/GithubActionsWIP.yml

@@ -50,15 +50,14 @@ jobs:
       shell: bash
 
     - name: Checkout repository under $GITHUB_WORKSPACE so the job can access it 🛎️
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         persist-credentials: false
 
     - name: Use dotnet
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: '7.0.x'
-        include-prerelease: true
+        dotnet-version: '8.x'
 
     - name: Build HttpSecurity.AspNet 🔧
       run: dotnet build ${{env.projectCSFB}} --configuration ${{env.buildConfiguration}} --version-suffix ${{env.ciSuffix}}

HttpSecurity.AspNet/HttpSecurity.AspNet.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
 	<PropertyGroup>
-		<TargetFramework>net7.0</TargetFramework>
+		<TargetFramework>net8.0</TargetFramework>
 		<LangVersion>11</LangVersion>
 		<ImplicitUsings>enable</ImplicitUsings>
 		<Nullable>enable</Nullable>
@@ -10,10 +10,8 @@
 
 	<ItemGroup>
 		<FrameworkReference Include="Microsoft.AspNetCore.App" />
-		<PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="2.2.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.2.0" />
-		<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="7.0.0" />
-		<PackageReference Include="Microsoft.Extensions.Options" Version="7.0.1" />
+		<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
+		<PackageReference Include="Microsoft.Extensions.Options" Version="8.0.1" />
 	</ItemGroup>
 
 	<ItemGroup>

HttpSecurity.AspNet/Services/HttpSecurityOptions.cs

@@ -14,7 +14,7 @@ public sealed class HttpSecurityOptions
     /// <summary>
     /// The built content security policy.
     /// </summary>
-    internal ContentSecurityPolicyOptions ContentSecurityPolicy { get; set; } = null;
+    internal ContentSecurityPolicyOptions? ContentSecurityPolicy { get; set; } = null;
 
 
     /// <summary>

HttpSecurity.AspNet/Services/HttpSecurityService.cs

@@ -68,7 +68,7 @@ public string GetFileHashString(string fileName)
 
 
     /// <inheritdoc/>
-    string IHttpSecurityService.GetCSPHashesSubsting(StaticFileExtension staticFileExtension)
+    string IHttpSecurityService.GetCSPHashesSubstring(StaticFileExtension staticFileExtension)
     {
         return _fileHashDataset.GetCSPSubstring(staticFileExtension);
     }

HttpSecurity.AspNet/Services/IHttpSecurityService.cs

@@ -50,5 +50,5 @@ public interface IHttpSecurityService
     /// </summary>
     /// <param name="staticFileExtension"></param>
     /// <returns></returns>
-    internal string GetCSPHashesSubsting(StaticFileExtension staticFileExtension);
+    internal string GetCSPHashesSubstring(StaticFileExtension staticFileExtension);
 }

HttpSecurity.Example/HttpSecurity.Example.csproj

@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
 	<PropertyGroup>
-		<TargetFramework>net7.0</TargetFramework>
+		<TargetFramework>net8.0</TargetFramework>
 		<Nullable>enable</Nullable>
 		<ImplicitUsings>enable</ImplicitUsings>
 	</PropertyGroup>

HttpSecurity.Example/Pages/Index.razor → HttpSecurity.Example/Pages/DisplaySecurityHeaders.razor

@@ -3,7 +3,7 @@
 @inject IHttpSecurityService HttpSecurityService
 @inject IHttpContextAccessor HttpContextAccessor;
 
-<PageTitle>Index</PageTitle>
+<PageTitle>Display Security Headers</PageTitle>
 
 <h1>Http Security Headers</h1>
 

HttpSecurity.Example/Pages/_Host.cshtml

@@ -12,14 +12,14 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <base href="~/" />
-    <link rel="stylesheet" href="https://a.com/a.css" />
+    @* <link rel="stylesheet" href="https://a.com/a.css" /> *@
     <link rel="stylesheet" href="css/bootstrap/bootstrap.min.css" integrity="@HttpSecurityService.GetFileHashString("bootstrap.min.css")" />
     <link rel="stylesheet" href="css/site.css" integrity="@HttpSecurityService.GetFileHashString("site.css")" />
     <link rel="stylesheet" href="HttpSecurity.Example.styles.css" integrity="@HttpSecurityService.GetFileHashString("HttpSecurity.Example.styles.css")" />
-    <component type="typeof(HeadOutlet)" render-mode="ServerPrerendered" />
+    <component type="typeof(HeadOutlet)" render-mode="Server" />
 </head>
 <body>
-    <component type="typeof(App)" render-mode="ServerPrerendered" />
+    <component type="typeof(App)" render-mode="Server" />
 
     <div id="blazor-error-ui">
         <environment include="Staging,Production">

HttpSecurity.Example/Program.cs

@@ -1,5 +1,4 @@
 using HttpSecurity.AspNet;
-using HttpSecurity.Example.Data;
 using System.Globalization;
 
 var builder = WebApplication.CreateBuilder(args);
@@ -8,7 +7,6 @@
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddRazorPages();
 builder.Services.AddServerSideBlazor();
-builder.Services.AddSingleton<WeatherForecastService>();
 
 builder.Services.AddHttpsSecurityHeaders(options =>
 {
@@ -17,50 +15,70 @@
         {
             cspOptions
                 .AddBaseUri(o => o.AddSelf())
+
                 .AddBlockAllMixedContent()
+
                 .AddChildSrc(o => o.AddSelf())
+
                 .AddConnectSrc(o => o
                     .AddSelf()
                     .AddUri((baseUri, baseDomain) => $"wss://{baseDomain}:*"))
+
                 // The generated hashes do nothing here, and we include it here only to show that generated hash values can be added to policies - script-src would generally be the policy where you use this technique.
                 .AddDefaultSrc(o => o
                     .AddSelf()
                     .AddStrictDynamicIf(() => !builder.Environment.IsDevelopment())
                     .AddUnsafeInline()
                     .AddGeneratedHashValues(StaticFileExtension.CSS))
+
                 .AddFontSrc(o => o.AddSelf())
+
                 .AddFrameAncestors(o => o.AddNone())
+
                 .AddFrameSrc(o => o.AddSelf())
+
                 .AddFormAction(o => o.AddNone())
+
                 .AddImgSrc(o => o
                     .AddSelf()  
                     .AddUri("www.google-analytics.com")
                     .AddUri("*.openstreetmap.org")
                     .AddSchemeSource(SchemeSource.Data, "w3.org/svg/2000"))
+
                 .AddManifestSrc(o => o.AddSelf())
+
                 .AddMediaSrc(o => o.AddSelf())
+
                 .AddObjectSrc(o => o.AddNone())
+
                 .AddReportUri(o => o.AddUri((baseUri, baseDomain) => $"https://{baseUri}/api/CspReporting/UriReport"))
+
                 .AddScriptSrc(o => o
                     .AddSelf()
                     .AddNonce()
                     .AddHashValue(HashAlgorithm.SHA256, "v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
-                    .AddUriIf((baseUri, baseDomain) => $"https://{baseUri}/_framework/aspnetcore-browser-refresh.js", () => builder.Environment.IsDevelopment())
-                    .AddStrictDynamicIf(() => !builder.Environment.IsDevelopment())
-                    .AddUnsafeInline().AddReportSample().AddUnsafeEval().AddUri("https://www.googletagmanager.com/gtag/js")
+                    // StrictDynamic works on Chromium browsers but fails for both Firefox and Safari
+                    //.AddStrictDynamicIf(() => !builder.Environment.IsDevelopment())
+                    .AddReportSample()
+                    .AddUri("https://www.googletagmanager.com/gtag/js")
+                    .AddUri((baseUri, baseDomain) => $"https://{baseUri}/_framework/aspnetcore-browser-refresh.js")
+                    .AddUri((baseUri, baseDomain) => $"https://{baseUri}/_framework/blazor.server.js")
                     .AddGeneratedHashValues(StaticFileExtension.JS))
+
                 .AddStyleSrc(o => o
                     .AddSelf()
                     .AddUnsafeInline()
                     .AddUnsafeHashes()
                     .AddReportSample())
+
                 .AddUpgradeInsecureRequests()
+
                 .AddWorkerSrc(o => o.AddSelf());
         })
         .AddReferrerPolicy(ReferrerPolicyDirective.NoReferrer)
         .AddPermissionsPolicy("accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()")
         .AddStrictTransportSecurity(31536000, true)
-        .AddXClientId("Material.Blazor")
+        .AddXClientId("HttpSecurity.Example")
         .AddXContentTypeOptionsNoSniff()
         .AddXFrameOptionsDirective(XFrameOptionsDirective.Deny)
         .AddXXssProtectionDirective(XXssProtectionDirective.OneModeBlock)

HttpSecurity.Example/Properties/launchSettings.json

@@ -1,28 +1,14 @@
 {
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:10639",
-      "sslPort": 44398
-    }
-  },
   "profiles": {
     "HttpSecurity.Example": {
       "commandName": "Project",
-      "dotnetRunMessages": true,
-      "launchBrowser": true,
-      "applicationUrl": "https://localhost:7256;http://localhost:5080",
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "IIS Express": {
-      "commandName": "IISExpress",
       "launchBrowser": true,
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
-      }
+      },
+      "hotReloadEnabled": false,
+      "dotnetRunMessages": true,
+      "applicationUrl": "https://localhost:50083",
     }
   }
-}
+}

HttpSecurity.Example/Shared/MainLayout.razor

@@ -3,17 +3,9 @@
 <PageTitle>HttpSecurity Example</PageTitle>
 
 <div class="page">
-    <div class="sidebar">
-        <NavMenu />
-    </div>
-
-    <main>
-        <div class="top-row px-4">
-            <a href="https://docs.microsoft.com/aspnet/" target="_blank">About</a>
-        </div>
-
+     <main>
         <article class="content px-4">
-            @Body
+            <HttpSecurity.Example.Pages.DisplaySecurityHeaders></HttpSecurity.Example.Pages.DisplaySecurityHeaders>
         </article>
     </main>
 </div>