From 6d6058d16ab9e621b6fa8fc5385bd45a058e4236 Mon Sep 17 00:00:00 2001
From: Tommy Parnell <tparnell8@gmail.com>
Date: Sat, 31 Dec 2016 06:24:33 -0500
Subject: [PATCH] ieNoOpen, Referrer

---
 .vscode/launch.json                     |  42 ++++++
 .vscode/tasks.json                      |  16 ++
 Readme.md                               |   4 +-
 src/HardHat.Example/Project_Readme.html | 187 ------------------------
 src/HardHat.Example/Startup.cs          |   3 +-
 src/HardHat/Constants.cs                |  29 +++-
 src/HardHat/Extensions.cs               |  25 +---
 src/HardHat/FrameGuard.cs               |   2 -
 src/HardHat/IENoOpen.cs                 |  20 +++
 src/HardHat/RefererPolicy.cs            |  41 ++++++
 10 files changed, 150 insertions(+), 219 deletions(-)
 create mode 100644 .vscode/launch.json
 create mode 100644 .vscode/tasks.json
 delete mode 100644 src/HardHat.Example/Project_Readme.html
 create mode 100644 src/HardHat/IENoOpen.cs
 create mode 100644 src/HardHat/RefererPolicy.cs

diff --git a/.vscode/launch.json b/.vscode/launch.json
new file mode 100644
index 0000000..0c1ceb8
--- /dev/null
+++ b/.vscode/launch.json
@@ -0,0 +1,42 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": ".NET Core Launch (web)",
+            "type": "coreclr",
+            "request": "launch",
+            "preLaunchTask": "build",
+            "program": "${workspaceRoot}\\src\\HardHat.Example\\bin\\Debug\\netcoreapp1.0\\HardHat.Example.dll",
+            "args": [],
+            "cwd": "${workspaceRoot}",
+            "stopAtEntry": false,
+            "internalConsoleOptions": "openOnSessionStart",
+            "launchBrowser": {
+                "enabled": true,
+                "args": "${auto-detect-url}",
+                "windows": {
+                    "command": "cmd.exe",
+                    "args": "/C start ${auto-detect-url}"
+                },
+                "osx": {
+                    "command": "open"
+                },
+                "linux": {
+                    "command": "xdg-open"
+                }
+            },
+            "env": {
+                "ASPNETCORE_ENVIRONMENT": "Development"
+            },
+            "sourceFileMap": {
+                "/Views": "${workspaceRoot}/Views"
+            }
+        },
+        {
+            "name": ".NET Core Attach",
+            "type": "coreclr",
+            "request": "attach",
+            "processId": "${command.pickProcess}"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
new file mode 100644
index 0000000..7b89b6c
--- /dev/null
+++ b/.vscode/tasks.json
@@ -0,0 +1,16 @@
+{
+    "version": "0.1.0",
+    "command": "dotnet",
+    "isShellCommand": true,
+    "args": [],
+    "tasks": [
+        {
+            "taskName": "build",
+            "args": [
+                "${workspaceRoot}\\src\\HardHat.Example\\project.json"
+            ],
+            "isBuildCommand": true,
+            "problemMatcher": "$msCompile"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/Readme.md b/Readme.md
index 65168e8..5a4a2e9 100644
--- a/Readme.md
+++ b/Readme.md
@@ -13,6 +13,8 @@ In short this allows:
             app.DnsPrefetch(allow: false); //turn off dns prefetch to keep privacy of users on site
             app.AddFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN)); //prevent content from being loaded in an iframe unless its within the same origin
             app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false); //enforce hsts
+            app.AddReferrerPolicy(ReferrerPolicy.NoReferrer);
+            app.AddIENoOpen();
             ...
             app.UseMvc(routes =>
             {
@@ -30,8 +32,6 @@ In short this allows:
 todo:
 
 * CSP
-* ie NoOpen
 * don't sniff mime type
 * XSS protection
-* disable referer
 
diff --git a/src/HardHat.Example/Project_Readme.html b/src/HardHat.Example/Project_Readme.html
deleted file mode 100644
index 1a0f5b5..0000000
--- a/src/HardHat.Example/Project_Readme.html
+++ /dev/null
@@ -1,187 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="utf-8" />
-    <title>Welcome to ASP.NET Core</title>
-    <style>
-        html {
-            background: #f1f1f1;
-            height: 100%;
-        }
-
-        body {
-            background: #fff;
-            color: #505050;
-            font: 14px 'Segoe UI', tahoma, arial, helvetica, sans-serif;
-            margin: 1%;
-            min-height: 95.5%;
-            border: 1px solid silver;
-            position: relative;
-        }
-
-        #header {
-            padding: 0;
-        }
-
-            #header h1 {
-                font-size: 44px;
-                font-weight: normal;
-                margin: 0;
-                padding: 10px 30px 10px 30px;
-            }
-
-            #header span {
-                margin: 0;
-                padding: 0 30px;
-                display: block;
-            }
-
-            #header p {
-                font-size: 20px;
-                color: #fff;
-                background: #007acc;
-                padding: 0 30px;
-                line-height: 50px;
-                margin-top: 25px;
-
-            }
-
-                #header p a {
-                    color: #fff;
-                    text-decoration: underline;
-                    font-weight: bold;
-                    padding-right: 35px;
-                    background: no-repeat right bottom url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAWCAMAAAAcqPc3AAAANlBMVEUAAAAAeswfitI9mthXp91us+KCvuaTx+mjz+2x1u+83PLH4vTR5/ba7Pjj8Pns9fv1+v3////wy3dWAAAAAXRSTlMAQObYZgAAAHxJREFUeNp9kVcSwCAIRMHUYoH7XzaxOxJ9P8oyQ1uIqNPwh3s2aLmIM2YtqrLcQIeQEylhuCeUOlhgve5yoBCfWmlnlgkN4H8ykbpaE7gR03AbUHiwoOxUH9Xp+ubd41p1HF3mBPrfC87BHeTdaB3ceeKL9HGpcvX9zu6+DdMWT9KQPvYAAAAASUVORK5CYII=);
-                }
-
-        #main {
-            padding: 5px 30px;
-            clear: both;
-        }
-
-        .section {
-            width: 21.7%;
-            float: left;
-            margin: 0 0 0 4%;
-        }
-
-            .section h2 {
-                font-size: 13px;
-                text-transform: uppercase;
-                margin: 0;
-                border-bottom: 1px solid silver;
-                padding-bottom: 12px;
-                margin-bottom: 8px;
-            }
-
-            .section.first {
-                margin-left: 0;
-            }
-
-                .section.first h2 {
-                    font-size: 24px;
-                    text-transform: none;
-                    margin-bottom: 25px;
-                    border: none;
-                }
-
-                .section.first li {
-                    border-top: 1px solid silver;
-                    padding: 8px 0;
-                }
-
-            .section.last {
-                margin-right: 0;
-            }
-
-        ul {
-            list-style: none;
-            padding: 0;
-            margin: 0;
-            line-height: 20px;
-        }
-
-        li {
-            padding: 4px 0;
-        }
-
-        a {
-            color: #267cb2;
-            text-decoration: none;
-        }
-
-            a:hover {
-                text-decoration: underline;
-            }
-
-        #footer {
-            clear: both;
-            padding-top: 50px;
-        }
-
-            #footer p {
-                position: absolute;
-                bottom: 10px;
-            }
-    </style>
-</head>
-<body>
-
-    <div id="header">
-        <h1>Welcome to ASP.NET Core</h1>
-        <span>
-            We've made some big updates in this release, so it’s <b>important</b> that you spend
-            a few minutes to learn what’s new.
-        </span>
-        <p>You've created a new ASP.NET Core project. <a href="http://go.microsoft.com/fwlink/?LinkId=518016">Learn what's new</a></p>
-    </div>
-
-    <div id="main">
-        <div class="section first">
-            <h2>This application consists of:</h2>
-            <ul>
-                <li>Sample pages using ASP.NET Core MVC</li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=518004">Bower</a> for managing client-side libraries</li>
-                <li>Theming using <a href="http://go.microsoft.com/fwlink/?LinkID=398939">Bootstrap</a></li>
-            </ul>
-        </div>
-        <div class="section">
-            <h2>How to</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=398600">Add a Controller and View</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699562">Add an appsetting in config and access it in app.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699315">Manage User Secrets using Secret Manager.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699316">Use logging to log a message.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699317">Add packages using NuGet.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699318">Add client packages using Bower.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699319">Target development, staging or production environment.</a></li>
-            </ul>
-        </div>
-        <div class="section">
-            <h2>Overview</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=518008">Conceptual overview of what is ASP.NET Core</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699320">Fundamentals of ASP.NET Core such as Startup and middleware.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=398602">Working with Data</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=398603">Security</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699321">Client side development</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699322">Develop on different platforms</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699323">Read more on the documentation site</a></li>
-            </ul>
-        </div>
-        <div class="section last">
-            <h2>Run & Deploy</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=517851">Run your app</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=517853">Run tools such as EF migrations and more</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=398609">Publish to Microsoft Azure Web Apps</a></li>
-            </ul>
-        </div>
-
-        <div id="footer">
-            <p>We would love to hear your <a href="http://go.microsoft.com/fwlink/?LinkId=518015">feedback</a></p>
-        </div>
-    </div>
-
-</body>
-</html>
diff --git a/src/HardHat.Example/Startup.cs b/src/HardHat.Example/Startup.cs
index 7cdcb84..6302304 100644
--- a/src/HardHat.Example/Startup.cs
+++ b/src/HardHat.Example/Startup.cs
@@ -50,7 +50,8 @@ namespace HardHat.Example
             app.AddFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN));
             app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false);
             app.UseStaticFiles();
-
+            app.AddReferrerPolicy(ReferrerPolicy.NoReferrer);
+            app.AddIENoOpen();
             app.UseMvc(routes =>
             {
                 routes.MapRoute(
diff --git a/src/HardHat/Constants.cs b/src/HardHat/Constants.cs
index 78d9e5e..329b700 100644
--- a/src/HardHat/Constants.cs
+++ b/src/HardHat/Constants.cs
@@ -5,13 +5,28 @@ using System.Threading.Tasks;
 
 namespace HardHat
 {
-    public static class Constants
+    internal static class Constants
     {
-        public static string DnsControlHeader = "X-DNS-Prefetch-Control";
-        public static string FrameGuardHeader = "X-Frame-Options";
-        public static string StrictTransportSecurity = "Strict-Transport-Security";
-        public static string MaxAge = "max-age";
-        public static string IncludeSubDomains = "; includeSubDomains";
-        public static string Preload = "; preload";
+        internal const string DnsControlHeader = "X-DNS-Prefetch-Control";
+        internal const string FrameGuardHeader = "X-Frame-Options";
+        internal const string StrictTransportSecurity = "Strict-Transport-Security";
+        internal const string MaxAge = "max-age";
+        internal const string IncludeSubDomains = "; includeSubDomains";
+        internal const string Preload = "; preload";
+        internal const string DowloadOptions = "X-Download-Options";
+        internal const string NoOpen = "noopen";
+        internal const string ReferrerPolicy = "Referrer-Policy";
+
+        internal static class Referrers 
+        {
+            internal const string NoReferrer = "no-referrer";
+            internal const string NoReferrerWhenDowngrade = "no-referrer-when-downgrade";
+            internal const string SameOrigin = "same-origin";
+            internal const string Origin = "origin";
+            internal const string StrictOrigin = "strict-origin";
+            internal const string OriginWhenCrossOrigin = "origin-when-cross-origin";
+            internal const string StrictOriginWhenCrossOrigin = "strict-origin-when-cross-origin";
+            internal const string UnsafeUrl = "unsafe-url";
+        }
     }
 }
diff --git a/src/HardHat/Extensions.cs b/src/HardHat/Extensions.cs
index 58e29d2..8cc00bf 100644
--- a/src/HardHat/Extensions.cs
+++ b/src/HardHat/Extensions.cs
@@ -1,28 +1,13 @@
 using HardHat;
-using Microsoft.AspNetCore.Builder;
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
 
 namespace Microsoft.AspNetCore.Builder
 {
     public static class Extensions
     {
-        public static IApplicationBuilder DnsPrefetch(this IApplicationBuilder app, bool allow = false)
-        {
-            app.UseMiddleware<DnsPrefetch>(allow);
-            return app;
-        }
-        public static IApplicationBuilder AddFrameGuard(this IApplicationBuilder app, FrameGuardOptions options)
-        {
-            app.UseMiddleware<FrameGuard>(options);
-            return app;
-        }
-        public static IApplicationBuilder UseHsts(this IApplicationBuilder app, ulong maxAge, bool includeSubDomains = false, bool preload = false)
-        {
-            app.UseMiddleware<Hsts>(maxAge, includeSubDomains, preload);
-            return app;
-        }
+        public static IApplicationBuilder DnsPrefetch(this IApplicationBuilder app, bool allow = false) => app.UseMiddleware<DnsPrefetch>(allow);
+        public static IApplicationBuilder AddFrameGuard(this IApplicationBuilder app, FrameGuardOptions options) => app.UseMiddleware<FrameGuard>(options);
+        public static IApplicationBuilder UseHsts(this IApplicationBuilder app, ulong maxAge, bool includeSubDomains = false, bool preload = false) => app.UseMiddleware<Hsts>(maxAge, includeSubDomains, preload);
+        public static IApplicationBuilder AddIENoOpen(this IApplicationBuilder app) => app.UseMiddleware<IENoOpen>();
+        public static IApplicationBuilder AddReferrerPolicy(this IApplicationBuilder app, ReferrerPolicy policy) => app.UseMiddleware<ReferrerPolicyMiddlewear>(policy);
     }
 }
diff --git a/src/HardHat/FrameGuard.cs b/src/HardHat/FrameGuard.cs
index 13aa323..cd49f23 100644
--- a/src/HardHat/FrameGuard.cs
+++ b/src/HardHat/FrameGuard.cs
@@ -1,7 +1,5 @@
 using Microsoft.AspNetCore.Http;
 using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 
 namespace HardHat
diff --git a/src/HardHat/IENoOpen.cs b/src/HardHat/IENoOpen.cs
new file mode 100644
index 0000000..ba7751b
--- /dev/null
+++ b/src/HardHat/IENoOpen.cs
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Http;
+using System.Threading.Tasks;
+
+namespace HardHat
+{
+    public class IENoOpen
+    {
+        private readonly RequestDelegate _next;
+        public IENoOpen(RequestDelegate next)
+        {
+            _next = next;
+        }
+
+        public Task Invoke(HttpContext context)
+        {
+            context.Response.Headers[Constants.DowloadOptions] = Constants.NoOpen;
+            return _next.Invoke(context);
+        }
+    }
+}
diff --git a/src/HardHat/RefererPolicy.cs b/src/HardHat/RefererPolicy.cs
new file mode 100644
index 0000000..e952839
--- /dev/null
+++ b/src/HardHat/RefererPolicy.cs
@@ -0,0 +1,41 @@
+using Microsoft.AspNetCore.Http;
+using System.Threading.Tasks;
+
+namespace HardHat
+{
+    public class ReferrerPolicyMiddlewear
+    {
+        private readonly RequestDelegate _next;
+        private readonly ReferrerPolicy policy;
+        public ReferrerPolicyMiddlewear(RequestDelegate next, ReferrerPolicy policy)
+        {
+            this.policy = policy;
+            _next = next;
+        }
+
+        public Task Invoke(HttpContext context)
+        {
+            context.Response.Headers[Constants.ReferrerPolicy] = this.policy.Policy;
+            return _next.Invoke(context);
+        }
+    }
+    public struct ReferrerPolicy
+    {
+        internal readonly string Policy;
+        internal ReferrerPolicy(string policy)
+        {
+            this.Policy = policy;
+        }
+        //todo: document https://www.w3.org/TR/referrer-policy/#referrer-policies
+
+        public static readonly ReferrerPolicy Empty = new ReferrerPolicy(string.Empty);
+        public static readonly ReferrerPolicy NoReferrer = new ReferrerPolicy(Constants.Referrers.NoReferrer);
+        public static readonly ReferrerPolicy NoReferrerWhenDowngrade = new ReferrerPolicy(Constants.Referrers.NoReferrerWhenDowngrade);
+        public static readonly ReferrerPolicy SameOrigin = new ReferrerPolicy(Constants.Referrers.SameOrigin);
+        public static readonly ReferrerPolicy Origin = new ReferrerPolicy(Constants.Referrers.Origin);
+        public static readonly ReferrerPolicy StrictOrigin = new ReferrerPolicy(Constants.Referrers.StrictOrigin);
+        public static readonly ReferrerPolicy OriginWhenCrossOrigin = new ReferrerPolicy(Constants.Referrers.OriginWhenCrossOrigin);
+        public static readonly ReferrerPolicy StrictOriginWhenCrossOrigin = new ReferrerPolicy(Constants.Referrers.StrictOriginWhenCrossOrigin);
+        public static readonly ReferrerPolicy UnsafeUrl = new ReferrerPolicy(Constants.Referrers.UnsafeUrl);
+    }
+}