Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/cross origin embedder policy #164

Merged
merged 10 commits into from
Dec 30, 2024
Merged

Feature/cross origin embedder policy #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fa6f9dc
Added support for Cross-Origin-Embedder-Policy (COEP) header.
GaProgMan Dec 30, 2024
6fbe7ff
Added documentation page for Cross-Origin-Embedder-Policy (COEP) header
GaProgMan Dec 30, 2024
c21bc3c
Fixed typo in Cross-Origin-Opener-Policy (COOP)
GaProgMan Dec 30, 2024
a88fa2c
Minor version bump
GaProgMan Dec 30, 2024
8c951b8
Merge branch 'main' into feature/cross-origin-embedder-policy
GaProgMan Dec 30, 2024
d8903b6
Ran solution-wide formatting fix
jamie-taylor-rjj Dec 30, 2024
236be13
Added check mark for COEP header in the Included Headers section of docs
GaProgMan Dec 30, 2024
38ecfe3
Added all headers (as of 9.7.1) to the Readme files
GaProgMan Dec 30, 2024
c5e2ca0
Updated the repo root level changelog
GaProgMan Dec 30, 2024
da14279
Updated the docs level changelog
GaProgMan Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions README-NuGet.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,17 @@ This will add a number of default HTTP headers to all responses from your server
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)

```http
cache-control: max-age=31536000,private
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
strict-transport-security: max-age=31536000;includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none;
x-xss-protection: 0
strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: same-require-corp
x-xss-protection: 0
```

Please note: The above example contains only the headers added by the Middleware.
Expand Down
20 changes: 11 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,17 @@ This will add a number of default HTTP headers to all responses from your server
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)

```http
cache-control: max-age=31536000,private
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
strict-transport-security: max-age=31536000;includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none;
x-xss-protection: 0
strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: same-require-corp
x-xss-protection: 0
```

Please note: The above example contains only the headers added by the Middleware.
Expand Down
26 changes: 15 additions & 11 deletions changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,28 @@ This changelog represents all the major (i.e. breaking) changes made to the Owas

## TL;DR

| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |
| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |

### Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

#### Verison 9.7.x

This version saw the addition of both the [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/) (COEP) and [Cross-Origin-Embedder-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Embedder-Policy/) (COEP) headers; bringing the total number of supported headers to 83% complete (or 10 of the 12 recommended headers and values).

#### Version 9.6.x

This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
Expand Down
32 changes: 15 additions & 17 deletions docs/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,31 @@
---
title: Changelog
layout: page
nav_order: 7
---

# Changelog

This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.

## TL;DR

| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |
| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |

### Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

#### Verison 9.7.x

This version saw the addition of both the [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/) (COEP) and [Cross-Origin-Embedder-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Embedder-Policy/) (COEP) headers; bringing the total number of supported headers to 83% complete (or 10 of the 12 recommended headers and values).

#### Version 9.6.x

This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
Expand Down
53 changes: 53 additions & 0 deletions docs/configuration/Cross-Origin-Embedder-Policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
title: Cross-Origin-Opener-Policy
nav_order: 10
parent: Configuration
layout: page
---

The Mozilla Developer Network describes the Cross-Origin-Embedder-Policy (COEP) header like this:

{: .quote }
> The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document.
>
> source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

A COEP header can be added in one of two ways, either using the default middleware options:

```csharp
app.UseSecureHeadersMiddleware();
```

The above adds the COEP header with a `require-corp` value.

Or by creating an instance of the `SecureHeadersMiddlewareBuilder` class using the following code:

```csharp
var customConfig = SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseCrossOriginResourcePolicy()
.UseCrossOriginEmbedderPolicy()
.Build();

app.UseSecureHeadersMiddleware(customConfig);
```

{: .warning }
> It is important to note that the recommended value for this header requires the presence of the
> [Cross-Origin-Resource-Policy (CORP) header](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Resource-Policy/)
> in order to work.
> As such, if you add the COEP header without the CORP header, OwaspHeaders.Core will raise an ArgumentException.

The above adds the COEP header with a `require-corp` value.

## Full Options

The COEP header object (known internally as `CrossOriginEmbedderPolicy`) has the following options:

- enum: `CrossOriginEmbedderOptions`

The values available for the `CrossOriginEmbedderOptions` enum are:

- `UnsafeNoneValue`
- `RequireCorp`

4 changes: 2 additions & 2 deletions docs/configuration/Cross-Origin-Opener-Policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ The COOP header object (known internally as `CrossOriginOpenerPolicy`) has the f

The values available for the `CrossOriginOpenerOptions` enum are:

- `CrossOrigin`
- `SameSite`
- `UnsafeNone`
- `SameOriginAllowPopups`
- `SameOrigin`

2 changes: 1 addition & 1 deletion docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ The following list displays the status of all the current (as of Dec 27th, 2024)
- [ ✅ ] [Cache-Control](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cache-Control/)
- [ ❌ ] Clear-Site-Data
- [ ✅ ] [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/)
- [ ] Cross-Origin-Embedder-Policy
- [ ] Cross-Origin-Embedder-Policy
- [ ❌ ] Permissions-Policy

Key:
Expand Down
3 changes: 3 additions & 0 deletions src/Constants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,8 @@ public static class Constants
public const string ExpectCtHeaderName = "Expect-CT";

public const string CrossOriginResourcePolicyHeaderName = "Cross-Origin-Resource-Policy";

public const string CrossOriginOpenerPolicyHeaderName = "Cross-Origin-Opener-Policy";

public const string CrossOriginEmbedderPolicyHeaderName = "Cross-Origin-Embedder-Policy";
}
Loading
Loading