当前位置 主页 > 网站技术 > 代码类 >

    ASP.NET Core中如何利用Csp标头对抗Xss攻击(2)

    栏目:代码类 时间:2019-09-11 14:26

    开发一个中间件一定是需要一个构造器的,这将用于.net core 的注入到运行环境中。

    public sealed class CspOptionsBuilder  {   private readonly CspOptions options = new CspOptions();     internal CspOptionsBuilder() { }    public CspDirectiveBuilder Defaults { get; set; } = new CspDirectiveBuilder();   public CspDirectiveBuilder Scripts { get; set; } = new CspDirectiveBuilder();   public CspDirectiveBuilder Styles { get; set; } = new CspDirectiveBuilder();   public CspDirectiveBuilder Images { get; set; } = new CspDirectiveBuilder();   public CspDirectiveBuilder Fonts { get; set; } = new CspDirectiveBuilder();   public CspDirectiveBuilder Media { get; set; } = new CspDirectiveBuilder();    internal CspOptions Build()   {    this.options.Defaults = this.Defaults.Sources;    this.options.Scripts = this.Scripts.Sources;    this.options.Styles = this.Styles.Sources;    this.options.Images = this.Images.Sources;    this.options.Fonts = this.Fonts.Sources;    this.options.Media = this.Media.Sources;    return this.options;   }  }   public sealed class CspDirectiveBuilder  {   internal CspDirectiveBuilder() { }    internal List<string> Sources { get; set; } = new List<string>();    public CspDirectiveBuilder AllowSelf() => Allow("'self'");   public CspDirectiveBuilder AllowNone() => Allow("none");   public CspDirectiveBuilder AllowAny() => Allow("*");    public CspDirectiveBuilder Allow(string source)   {    this.Sources.Add(source);    return this;   }  }

    好了,我们创建一个中间件。

    namespace XSSDefenses.XSSDefenses.MiddlerWare{ public sealed class CspOptionMiddlerWare {  private const string HEADER = "Content-Security-Policy";  private readonly RequestDelegate next;  private readonly CspOptions options;  public CspOptionMiddlerWare(   RequestDelegate next, CspOptions options)  {   this.next = next;   this.options = options;  }  public async Task Invoke(HttpContext context)  {   context.Response.Headers.Add(HEADER, GetHeaderValue());   await this.next(context);  }  private string GetHeaderValue()  {   var value = "";   value += GetDirective("default-src", this.options.Defaults);   value += GetDirective("script-src", this.options.Scripts);   value += GetDirective("style-src", this.options.Styles);   value += GetDirective("img-src", this.options.Images);   value += GetDirective("font-src", this.options.Fonts);   value += GetDirective("media-src", this.options.Media);   return value;  }  private string GetDirective(string directive, List<string> sources)   => sources.Count > 0 ? $"{directive} {string.Join(" ", sources)}; " : ""; }}

    以及设置它的扩展方法。

    namespace XSSDefenses.XSSDefenses.Extensions{ public static class CspMiddlewareExtensions {  public static IApplicationBuilder UseCsp(    this IApplicationBuilder app, Action<CspOptionsBuilder> builder)  {   var newBuilder = new CspOptionsBuilder();   builder(newBuilder);    var options = newBuilder.Build();   return app.UseMiddleware<CspOptionMiddlerWare>(options);  } }}