add missing quotes for unsafe-inline

upgrade to 2.0

appveyor.yml

@@ -20,6 +20,6 @@ artifacts:
 deploy:
 - provider: NuGet
   api_key:
-    secure: bGn7M6dHOJ3QjwYIv7e34tcY/n9cCUZmL1MnM6jRfmnJOOfwlrS+cdRj2n8Wf31n
+    secure: //tKHlb2yqAtpxnR6p9IAtXwQNaq8UYYyIFSD0QVF3XnEasIxG2gTWdmWuG87fUX
   on:
     appveyor_repo_tag: true

src/HardHat.Example/HardHat.Example.csproj

@@ -1,12 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp1.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
     <PreserveCompilationContext>true</PreserveCompilationContext>
     <AssemblyName>HardHat.Example</AssemblyName>
     <OutputType>Exe</OutputType>
     <PackageId>HardHat.Example</PackageId>
-    <PackageTargetFallback>$(PackageTargetFallback);dotnet5.6;portable-net45+win8</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
@@ -20,19 +19,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Routing" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="1.0.2" />
-    <PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="1.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.App" />
   </ItemGroup>
 
   <Target Name="PrepublishScript" BeforeTargets="PrepareForPublish">

src/HardHat.Example/Startup.cs

@@ -37,7 +37,6 @@ namespace HardHat.Example
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
-                app.UseBrowserLink();
             }
             else
             {

src/HardHat.UnitTests/CSPBuilderTests.cs

@@ -25,10 +25,11 @@ namespace HardHat.UnitTests
                 FormAction = new HashSet<string>() { "http://*.example.com" },
                 FrameAncestors = new HashSet<string>() { "http://*.example.com" },
                 PluginTypes = new HashSet<string>() { "http://*.example.com" },
-                Sandbox = SandboxOption.AllowPointerLock
+                Sandbox = SandboxOption.AllowPointerLock,
+                UpgradeInsecureRequests = true
 
             });
-            Assert.Equal<string>(@"default-src 'self' 'none' http://*.example.com; script-src http://*.example.com; style-src http://*.example.com; img-src http://*.example.com; connect-src http://*.example.com; font-src http://*.example.com; object-src http://*.example.com; media-src http://*.example.com; child-src http://*.example.com; form-action http://*.example.com; frame-ancestors http://*.example.com; sandbox allow-pointer-lock; plugin-types http://*.example.com;", builder);
+            Assert.Equal<string>(@"default-src 'self' 'none' http://*.example.com; script-src http://*.example.com; style-src http://*.example.com; img-src http://*.example.com; connect-src http://*.example.com; font-src http://*.example.com; object-src http://*.example.com; media-src http://*.example.com; child-src http://*.example.com; form-action http://*.example.com; frame-ancestors http://*.example.com; sandbox allow-pointer-lock; plugin-types http://*.example.com; upgrade-insecure-requests;", builder);
         }
 
         [Fact]

src/HardHat.UnitTests/HardHat.UnitTests.csproj

@@ -1,9 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFramework>netcoreapp1.1</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.1.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0" />
     <PackageReference Include="Moq" Version="4.7.25" />
     <PackageReference Include="xunit" Version="2.2.0" />

src/HardHat/Builders/ContentSecurityHeaderBuilder.cs

@@ -91,6 +91,10 @@ namespace HardHat.Builders
                 stringBuilder.Append(Constants.CSPDirectives.PluginTypes);
                 stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; ");
             }
+            if(policy.UpgradeInsecureRequests)
+            {
+                stringBuilder.Append($"{Constants.CSPDirectives.UpgradeInsecureRequests}; ");
+            }
             return stringBuilder.ToString().TrimEnd();
         }
     }

src/HardHat/CSPConstants.cs

@@ -18,11 +18,11 @@ namespace HardHat
         /// <summary>
         /// Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.
         /// </summary>
-        public const string UnsafeInline = "unsafe-inline";
+        public const string UnsafeInline = "'unsafe-inline'";
         /// <summary>
         /// Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.
         /// </summary>
-        public const string UnsafeEval = "unsafe-eval";
+        public const string UnsafeEval = "'unsafe-eval'";
         /// <summary>
         /// Refers to the empty set; that is, no URLs match. The single quotes are required.
         /// </summary>
@@ -30,7 +30,7 @@ namespace HardHat
         /// <summary>
         /// The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored.
         /// </summary>
-        public const string StrictDynamic = "strict-dynamic";
+        public const string StrictDynamic = "'strict-dynamic'";
         /// <summary>
         /// A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example.
         /// </summary>

src/HardHat/Constants.cs

@@ -52,6 +52,7 @@
             internal const string FormAction = "form-action";
             internal const string FrameAncestors = "frame-ancestors";
             internal const string PluginTypes = "plugin-types";
+            internal const string UpgradeInsecureRequests = "upgrade-insecure-requests";
         }
     }
 }

src/HardHat/ContentSecurityPolicy.cs

@@ -68,5 +68,6 @@ namespace HardHat
         /// </summary>
         public bool OnlySendReport { get; set;  } = false;
 
+        public bool UpgradeInsecureRequests { get; set; } = false;
     }
 }

src/HardHat/HardHat.csproj

@@ -3,19 +3,18 @@
   <PropertyGroup>
     <Description>.Net core Middleware, Add various headers to help secure your site. Disable XSS attacks with Content Security Policies, and make sure browsers do not mime sniff</Description>
     <Authors>Tommy Parnell</Authors>
-    <TargetFramework>netstandard1.6</TargetFramework>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <AssemblyName>HardHat</AssemblyName>
     <PackageId>HardHat</PackageId>
     <PackageTags>xss;clickjack;clickjacking;security;.net core;Middleware;core;Content Security Policy;CSP</PackageTags>
     <PackageIconUrl>https://media.githubusercontent.com/media/TerribleDev/HardHat/master/Hat.png</PackageIconUrl>
     <PackageProjectUrl>https://github.com/TerribleDev/HardHat</PackageProjectUrl>
     <PackageLicenseUrl>https://opensource.org/licenses/MIT</PackageLicenseUrl>
-    <PackageTargetFallback>$(PackageTargetFallback);dnxcore50</PackageTargetFallback>
     <SourceLinkServerType>GitHub</SourceLinkServerType>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
     <PackageReference Include="SourceLink.Create.CommandLine" Version="2.4.0" PrivateAssets="All" /> 
   </ItemGroup>