stop

appveyor.yml

@@ -14,7 +14,7 @@ build_script:
           dotnet pack src\HardHat\HardHat.csproj --configuration Release --output ..\..\output /p:Version=0.0.1-build-$env:APPVEYOR_BUILD_NUMBER
         }
 test_script:
-- ps: dotnet test src\HardHat.UnitTests\HardHat.UnitTests.csproj
+- ps: dotnet test src\HardHat.UnitTests\HardHat.UnitTests.csproj /p:CollectCoverage=true /p:CoverletOutputFormat=opencover
 artifacts:
 - path: output\**.nupkg
 deploy:

src/HardHat.UnitTests/CSPBuilderTests.cs

@@ -26,7 +26,7 @@ namespace HardHat.UnitTests
                 FrameAncestors = new HashSet<string>() { "http://*.example.com" },
                 PluginTypes = new HashSet<string>() { "http://*.example.com" },
                 Sandbox = SandboxOption.AllowPointerLock,
-                UpgradeInsecureRequests = true
+                UpgradeInsecureResponse = true
 
             });
             Assert.Equal<string>(@"default-src 'self' 'none' http://*.example.com; script-src http://*.example.com; style-src http://*.example.com; img-src http://*.example.com; connect-src http://*.example.com; font-src http://*.example.com; object-src http://*.example.com; media-src http://*.example.com; child-src http://*.example.com; form-action http://*.example.com; frame-ancestors http://*.example.com; sandbox allow-pointer-lock; plugin-types http://*.example.com; upgrade-insecure-requests;", builder);

src/HardHat.UnitTests/HardHat.UnitTests.csproj

@@ -3,6 +3,10 @@
     <TargetFramework>netcoreapp2.1</TargetFramework>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="coverlet.msbuild" Version="2.3.1">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
     <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0" />
     <PackageReference Include="Moq" Version="4.7.25" />

src/HardHat/Builders/ContentSecurityHeaderBuilder.cs

@@ -13,6 +13,10 @@ namespace HardHat.Builders
             {
                 throw new ArgumentNullException(nameof(policy));
             }
+            if(policy.DefaultSrc.Count > 0 && policy.DefaultSrc.Contains(CSPConstants.None))
+            {
+                //todo throw exception in this case
+            }
             if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0)
             {
                 stringBuilder.Append(Constants.CSPDirectives.DefaultSrc);
@@ -91,7 +95,7 @@ namespace HardHat.Builders
                 stringBuilder.Append(Constants.CSPDirectives.PluginTypes);
                 stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; ");
             }
-            if(policy.UpgradeInsecureRequests)
+            if(policy.UpgradeInsecureResponse) 
             {
                 stringBuilder.Append($"{Constants.CSPDirectives.UpgradeInsecureRequests}; ");
             }

src/HardHat/CSPConstants.cs

@@ -18,11 +18,11 @@ namespace HardHat
         /// <summary>
         /// Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.
         /// </summary>
-        public const string UnsafeInline = "'unsafe-inline'";
+        public const string UnsafeInline = "unsafe-inline";
         /// <summary>
         /// Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.
         /// </summary>
-        public const string UnsafeEval = "'unsafe-eval'";
+        public const string UnsafeEval = "unsafe-eval";
         /// <summary>
         /// Refers to the empty set; that is, no URLs match. The single quotes are required.
         /// </summary>
@@ -30,7 +30,7 @@ namespace HardHat
         /// <summary>
         /// The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored.
         /// </summary>
-        public const string StrictDynamic = "'strict-dynamic'";
+        public const string StrictDynamic = "strict-dynamic";
         /// <summary>
         /// A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example.
         /// </summary>

src/HardHat/ContentSecurityPolicy.cs

@@ -68,6 +68,7 @@ namespace HardHat
         /// </summary>
         public bool OnlySendReport { get; set;  } = false;
 
-        public bool UpgradeInsecureRequests { get; set; } = false;
+        public bool UpgradeInsecureResponse { get; set; } = false;
+
     }
 }

src/HardHat/ContentSecurityPolicyBuilder.cs

@@ -204,6 +204,11 @@ namespace HardHat
             Policy.Sandbox = sandboxOption ?? throw new ArgumentNullException(nameof(sandboxOption));
             return this;
         }
+        public ContentSecurityPolicyBuilder WithUpgradeInsecureResponse(bool enable = true) 
+        {
+            Policy.UpgradeInsecureResponse = enable;
+            return this;
+        }
         public ContentSecurityPolicy BuildPolicy() => Policy;
 
     }