search

andrewlock / NetEscapades.AspNetCore.SecurityHeaders

Small package to allow adding security headers to ASP.NET Core websites
MIT License
704 stars 73 forks source link

Content Security Policy Frame Ancestors builder doesn't allow multiple URIs in single call #178

Closed JackGilmore closed 3 months ago

JackGilmore commented 3 months ago

When using CspBuilder during calling AddContentSecurityPolicy() for creating a HeaderPolicyCollection, the builder allows you to pass in an IEnumerable<string> with multiple URIs e.g.


var uris = ["https://example.com", "https://example2.com"];

var policyCollection = new HeaderPolicyCollection()
        .AddContentSecurityPolicy(builder =>
        {
           builder.AddFrameSrc().From(uris);
        });

This doesn't seem to be the case as the .From() method for AddFrameAncestors() only appears to support a single string URI e.g.


var uris = ["https://example.com", "https://example2.com"];

var policyCollection = new HeaderPolicyCollection()
        .AddContentSecurityPolicy(builder =>
        {
           builder.AddFrameAncestors().From("https://example.com").From("https://example2.com");
        });

Is this an intentional design or is it possible to make AddFrameAncestors().From() support an IEnumerable<string> also?

andrewlock commented 3 months ago

Hey @JackGilmore, yeah this is just a quirk - the FrameAncestorsDirectiveBuilder derives from CspDirectiveBuilderBase rather than CspDirectiveBuilder because it has slightly different allowed sources. I've created a PR to add the same method directly to the FrameAncestorsDirectiveBuilder - I think it makes sense, thanks!

JackGilmore commented 3 months ago

Awesome! Thanks for turning this around so quickly :) Would it be possible for you to publish a new version of your nuget package so I can pull this down to use with my app?

andrewlock commented 2 months ago

Just pushed out a new version which contains this, v0.24.0!