Release/v1.5.2 (#77)

* Add wss protocol and  extra reporting endpoint

* Update build number

* update package dependencies

* Update documentation

* update buikdtargets

.github/workflows/build-jhoose-security-core.yml

@@ -8,8 +8,8 @@ on:
   workflow_dispatch:
 
 env:
-  BUILD_NO: 1.5.1.${{ github.run_number }}
-  BUILD_NO_PRE: 1.5.1-rc.${{ github.run_number }}
+  BUILD_NO: 1.5.2.${{ github.run_number }}
+  BUILD_NO_PRE: 1.5.2-rc.${{ github.run_number }}
 
 jobs:
   build:

.github/workflows/build-jhoose-security.yml

@@ -8,8 +8,8 @@ on:
   workflow_dispatch:
 
 env:
-  BUILD_NO: 1.5.1.${{ github.run_number }}  
-  BUILD_NO_PRE: 1.5.1-rc.${{ github.run_number }} 
+  BUILD_NO: 1.5.2.${{ github.run_number }}  
+  BUILD_NO_PRE: 1.5.2-rc.${{ github.run_number }} 
 
 jobs:
   build:

README.md

@@ -263,4 +263,5 @@ These aren't removed, the reason being
  |1.2|Ported to support Episerver 11 and .Net Framework 4.7.1<br/>Automatically remove (_X-AspNet-Version, X-AspNetMvc-Version_)|
  |1.3|Added .Net6 Support|
  |1.4|Included support for the Optimizely nonce service|
- |1.5|#64, #65 Resolved issue with duplicate headers being added and crashing the solution<br/>#70 Resolved issue the report-to directive being incorectly configured|
+ |1.5|#64, #65 Resolved issue with duplicate headers being added and crashing the solution<br/>#70 Resolved issue the report-to directive being incorectly configured|
+ |1.5.2|Add support for ws and wss protocols<br/>Add support for seperate report-uri and report-to endpoints|

src/Jhoose.Security.Core/Jhoose.Security.Core.csproj

@@ -5,7 +5,7 @@
 		<PackageId>Jhoose.Security.Core</PackageId>
 		<RepositoryUrl>https://github.com/andrewmarkham/contentsecuritypolicy</RepositoryUrl>
 		<ProjectUrl>https://github.com/andrewmarkham/contentsecuritypolicy</ProjectUrl>
-		<Version>1.5.1.0</Version>
+		<Version>1.5.2.0</Version>
 		<Authors>Andrew Markham</Authors>
 		<Title>Jhoose Security Core</Title>
 		<Description>Core package used by the Jhoose Security module</Description>
@@ -20,6 +20,9 @@
 			    Handle duplicate headers as this caused site to crash
 				Handle CRLF in header value, changed to Space
 				Make caching threadsafe
+		1.5.1 - Removed Global Serialization settings for .Net Framework see issue #52
+		1.5.2 - Add support for ws and wss protocols
+			    Add support for seperate report-uri and report-to endpoints
 	  </ReleaseNotes>
 		<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
 		<RestoreSources>

src/Jhoose.Security.Core/Models/CspPolicyHeader.cs

@@ -6,22 +6,10 @@ namespace Jhoose.Security.Core.Models
 
     public class CspPolicyHeader : CspPolicyHeaderBase
     {
-        public CspPolicyHeader(string reportUrl) : base(reportUrl)
+        public CspPolicyHeader(CspSettings settings) : base(settings)
         {
         }
 
         public override string Name => "Content-Security-Policy";
     }
-
-
-    public class ReportingEndpointHeader : CspPolicyHeaderBase
-    {
-        public ReportingEndpointHeader(string reportUrl) : base(reportUrl)
-        {
-        }
-
-        public override string Name => "Reporting-Endpoints";
-
-        public override string Value => $"main-endpoint=\"{this.reportUrl}\", default=\"{this.reportUrl}\"";
-    }
 }

src/Jhoose.Security.Core/Models/CspPolicyHeaderBase.cs

@@ -5,11 +5,11 @@ namespace Jhoose.Security.Core.Models
 {
     public abstract class CspPolicyHeaderBase : ResponseHeader
     {
-        protected readonly string reportUrl;
+        protected readonly CspSettings settings;
 
-        protected CspPolicyHeaderBase(string reportUrl)
+        protected CspPolicyHeaderBase(CspSettings settings)
         {
-            this.reportUrl = reportUrl;
+            this.settings = settings;
         }
 
         protected virtual string BuildValue(string reportUrl, string nonceValue)
@@ -21,7 +21,11 @@ protected virtual string BuildValue(string reportUrl, string nonceValue)
             if (!(string.IsNullOrEmpty(reportUrl)))
             {
                 sb.Append($" report-uri {reportUrl}; ");
-                sb.Append($" report-to main-endpoint; ");
+
+                if (!string.IsNullOrEmpty(this.settings.ReportToUrl))
+                {
+                    sb.Append($" report-to csp-endpoint; ");
+                }
             }
 
             return string.Format(sb.ToString(), nonceValue);
@@ -30,6 +34,6 @@ protected virtual string BuildValue(string reportUrl, string nonceValue)
         public string NonceValue { get; set; }
         public List<CspPolicy> Policies { get; set; }
 
-        public override string Value => this.BuildValue(this.reportUrl, this.NonceValue);
+        public override string Value => this.BuildValue(this.settings.ReportingUrl, this.NonceValue);
     }
 }

src/Jhoose.Security.Core/Models/CspPolicyReportHeader.cs

@@ -2,7 +2,7 @@
 {
     public class CspPolicyReportHeader : CspPolicyHeaderBase
     {
-        public CspPolicyReportHeader(string reportUrl) : base(reportUrl)
+        public CspPolicyReportHeader(CspSettings settings) : base(settings)
         {
         }
 

src/Jhoose.Security.Core/Models/CspSettings.cs

@@ -17,8 +17,20 @@ public class CspSettings
     {
         public Guid Id { get; } = Guid.Parse("3f15cad4-cd57-41c3-95c8-f7f62a2759ea");
         public string Mode { get; set; }
+
+        /// <summary>
+        /// Used for the report-uri directive
+        /// </summary>
         public string ReportingUrl { get; set; }
 
+        /// <summary>
+        /// Used by the report-to directive
+        /// </summary>
+        public string ReportToUrl { get; set; }
+
+        [JsonIgnore]
+        public bool HasReporting => !string.IsNullOrEmpty(this.ReportingUrl) | !string.IsNullOrEmpty(this.ReportToUrl);
+
         [JsonIgnore]
         public bool IsEnabled => this.Mode.Equals("off") ? false : true;
 

src/Jhoose.Security.Core/Models/ReportingEndpointHeader.cs

@@ -0,0 +1,13 @@
+namespace Jhoose.Security.Core.Models
+{
+    public class ReportingEndpointHeader : CspPolicyHeaderBase
+    {
+        public ReportingEndpointHeader(CspSettings settings) : base(settings)
+        {
+        }
+
+        public override string Name => "Reporting-Endpoints";
+
+        public override string Value => $"csp-endpoint=\"{this.settings.ReportToUrl}\", default=\"{this.settings.ReportToUrl}\"";
+    }
+}

src/Jhoose.Security.Core/Models/SchemaSource.cs

@@ -14,10 +14,14 @@ public SchemaSource()
         {
             this.Http = false;
             this.Https = false;
+
             this.Data = false;
             this.Mediastream = false;
             this.Blob = false;
             this.Filesystem = false;
+
+            this.Ws = false;
+            this.Wss = false;
         }
 
         public bool Http { get; set; }
@@ -27,6 +31,8 @@ public SchemaSource()
         public bool Blob { get; set; }
         public bool Filesystem { get; set; }
 
+        public bool Ws { get; set; }
+        public bool Wss { get; set; }
 
         public override string ToString()
         {
@@ -40,9 +46,12 @@ public override string ToString()
             if (this.Blob) sb.Append("blob: ");
             if (this.Filesystem) sb.Append("filesystem: ");
 
+            if (this.Ws) sb.Append("ws: ");
+            if (this.Wss) sb.Append("wss: ");
+
             return sb.ToString();
         }
 
-        public bool HasSchemaSource => this.Http | this.Https | this.Data | this.Mediastream | this.Blob | this.Filesystem;
+        public bool HasSchemaSource => this.Http | this.Https | this.Data | this.Mediastream | this.Blob | this.Filesystem | this.Ws | this.Wss;
     }
 }

src/Jhoose.Security.Core/Provider/StandardCspProvider.cs

@@ -36,16 +36,16 @@ public IEnumerable<CspPolicyHeaderBase> PolicyHeaders()
         {
             var policies = this.policyRepository.List();
 
-            if (!string.IsNullOrEmpty(this.Settings.ReportingUrl))
+            if (!string.IsNullOrEmpty(this.Settings.ReportToUrl))
             {
-                yield return new ReportingEndpointHeader(this.Settings.ReportingUrl);
+                yield return new ReportingEndpointHeader(this.Settings);
 
             }
 
             // for global report only
             if (this.Settings.Mode.Equals("report"))
             {
-                yield return new CspPolicyReportHeader(this.Settings.ReportingUrl)
+                yield return new CspPolicyReportHeader(this.Settings)
                 {
                     Policies = policies
                 };
@@ -56,7 +56,7 @@ public IEnumerable<CspPolicyHeaderBase> PolicyHeaders()
 
                 if (actionPolicies.Any())
                 {
-                    yield return new CspPolicyHeader(this.Settings.ReportingUrl)
+                    yield return new CspPolicyHeader(this.Settings)
                     {
                         Policies = actionPolicies
                     };
@@ -66,7 +66,7 @@ public IEnumerable<CspPolicyHeaderBase> PolicyHeaders()
 
                 if (reportPolicies.Any())
                 {
-                    yield return new CspPolicyReportHeader(this.Settings.ReportingUrl)
+                    yield return new CspPolicyReportHeader(this.Settings)
                     {
                         Policies = reportPolicies
                     };

src/Jhoose.Security/Jhoose.Security.csproj

@@ -6,7 +6,7 @@
 		<PackageId>Jhoose.Security.Admin</PackageId>
 		<RepositoryUrl>https://github.com/andrewmarkham/contentsecuritypolicy</RepositoryUrl>
 		<ProjectUrl>https://github.com/andrewmarkham/contentsecuritypolicy</ProjectUrl>
-		<Version>1.5.1.0</Version>
+		<Version>1.5.2.0</Version>
 		<Authors>Andrew Markham</Authors>
 		<Description>Interface to manage Content Security Policy and OWASP Recomended response headers</Description>
 		<Title>Jhoose Security</Title>
@@ -21,7 +21,9 @@
 			        Handle duplicate headers as this caused site to crash
 					Handle CRLF in header value, changed to Space
 					Make caching threadsafe
-			1.5.1 - Removed Global Serialization settings for .Net Framework see issue #52 
+			1.5.1 - Removed Global Serialization settings for .Net Framework see issue #52
+			1.5.2 - Add support for ws and wss protocols
+			        Add support for seperate report-uri and report-to endpoints
 	</ReleaseNotes>
 		<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
 		<RestoreSources Condition=" '$(Configuration)' == 'Debug' ">
@@ -54,8 +56,8 @@
 		<PackageReference Include="EPiServer.Framework" Version="[12.4.0,13)" />
 		<PackageReference Include="Microsoft.AspNetCore.Http" Version="2.1.22" />
 		<PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
-		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.*-rc.*,2)" Condition=" '$(Configuration)' == 'PreRelease' " />
-		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.*,2)" Condition=" '$(Configuration)' == 'Release' " />
+		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.2.*-rc.*,2)" Condition=" '$(Configuration)' == 'PreRelease' " />
+		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.2.*,2)" Condition=" '$(Configuration)' == 'Release' " />
 		<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="6.0" />
 	</ItemGroup>
 	<ItemGroup Condition="'$(TargetFramework)' == 'net471'">
@@ -66,8 +68,8 @@
 		<PackageReference Include="Newtonsoft.Json" Version="[9.0.1,14)" />
 		<PackageReference Include="Microsoft.AspNet.WebApi.Core" Version="5.2.7" />
 		<PackageReference Include="Microsoft.AspNet.WebApi.WebHost" Version="5.2.7" />
-		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.*-rc.*,2)" Condition=" '$(Configuration)' == 'PreRelease' " />
-		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.*,2)" Condition=" '$(Configuration)' == 'Release' " />
+		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.2.*-rc.*,2)" Condition=" '$(Configuration)' == 'PreRelease' " />
+		<PackageReference Include="Jhoose.Security.Core" Version="[1.5.2.*,2)" Condition=" '$(Configuration)' == 'Release' " />
 	</ItemGroup>
 	<ItemGroup Condition=" '$(Configuration)' == 'Debug' ">
 		<ProjectReference Include="..\Jhoose.Security.Core\Jhoose.Security.Core.csproj" />
@@ -83,7 +85,7 @@
 		<Content Remove="*.json" />
 		<Content Remove="Jhoose.Security.Views\**" />
 		<!--  -->
-		<Content Include="build\net5.0\Jhoose.Security.Admin.targets" PackagePath="build\net5.0\Jhoose.Security.Admin.targets" />
+		<Content Include="build\net6.0\Jhoose.Security.Admin.targets" PackagePath="build\net6.0\Jhoose.Security.Admin.targets" />
 		<Content Include="build\net461\Jhoose.Security.Admin.targets" PackagePath="build\net461\Jhoose.Security.Admin.targets" />
 		<Content Include="dist\Jhoose.Security\**" Exclude="src\**\*">
 			<Pack>true</Pack>

src/Jhoose.Security/build/net6.0/Jhoose.Security.Admin.targets

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
+    <ItemGroup>
+        <SourceScripts Include="$(MSBuildThisFileDirectory)..\..\contentFiles\any\any\modules\_protected\**\*"/>
+    </ItemGroup>
+
+    <Target Name="CopyFiles" BeforeTargets="Build">
+        <Copy
+            SourceFiles="@(SourceScripts)"
+            DestinationFolder="$(MSBuildProjectDirectory)\modules\_protected\%(RecursiveDir)"
+        />
+    </Target>
+</Project>