search

juunas11 / aspnetcore-security-headers

Middleware for adding security headers to an ASP.NET Core application.
MIT License
263 stars 43 forks source link

Path in ReportViolationsTo causes 404 when using IIS #62

Open Rakshasas opened 2 years ago

Rakshasas commented 2 years ago

When using IIS in a virtual application, the application path isn't added to the report URL.

I have the following route defined:

app.UseEndpoints(endpoints => {
    endpoints.MapControllerRoute("Csp", "{area:exists}/{controller=Home}/{action=Index}/{id?}");
    ...
    endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}");
}
app.UseCsp(csp => {
    // Various rules here
    csp.ReportViolationsTo("/csp/report"); 
}

I have a CSP controller in an area named CSP:

When a violation occurs, it's sent to https://servername.com/csp/report however running in IIS it needs to be https://servername.com/somepath/csp/report

My current workaround is to move the csp.ReportViolationsTo inside OnSendingHeader:

app.UseCsp(csp => {
    // Various rules here

    csp.OnSendingHeader = context => {
        var path = new PathString($"{context.HttpContext.Request.PathBase}/csp/report");
        csp.ReportViolationsTo(path);
        context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/swagger");
        return Task.CompletedTask;
    };
}

However, that will reset the ReportViolations every time and is not ideal.

This is something that other areas of ASPNET Core already handles. For example, setting app.UseStatusCodePagesWithReExecute("/Error/{0}"); would properly redirect 404 error pages to https://servername.com/somepath/error/404

juunas11 commented 1 year ago

Hmm.. This requires some more looking into. Probably we can get the application path through something so we can add the prefix to the URL.