Added support for Cross-Origin-Embedder-Policy: credentialless (#153)

andrewlock · Mar 19, 2024 · 54185de · 54185de
1 parent 6992bf4
commit 54185de
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 0 deletions.
diff --git a/...urityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CredentiallessDirectiveBuilder.cs b/...urityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CredentiallessDirectiveBuilder.cs
@@ -0,0 +1,27 @@
+using System;
+using Microsoft.AspNetCore.Http;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.CrossOriginPolicies.EmbedderPolicy;
+
+/// <summary>
+/// no-cors cross-origin requests are sent without credentials.
+/// In particular, it means Cookies are omitted from the request, and ignored from the response.
+/// The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header.
+/// Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+/// From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+/// </summary>
+public class CredentiallessDirectiveBuilder : CrossOriginEmbedderPolicyDirectiveBuilderBase
+{
+    /// <summary>
+    /// Initializes a new instance of the <see cref="CredentiallessDirectiveBuilder"/> class.
+    /// </summary>
+    public CredentiallessDirectiveBuilder() : base("credentialless")
+    {
+    }
+
+    /// <inheritdoc />
+    internal override Func<HttpContext, string> CreateBuilder()
+    {
+        return ctx => Directive;
+    }
+}
diff --git a/...ityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs b/...ityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs
@@ -25,4 +25,14 @@ public class CrossOriginEmbedderPolicyBuilder : CrossOriginPolicyBuilder
     /// </summary>
     /// <returns>A configured <see cref="RequireCorpDirectiveBuilder"/></returns>
     public RequireCorpDirectiveBuilder RequireCorp() => AddDirective(new RequireCorpDirectiveBuilder());
+
+    /// <summary>
+    /// no-cors cross-origin requests are sent without credentials.
+    /// In particular, it means Cookies are omitted from the request, and ignored from the response.
+    /// The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header.
+    /// Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+    /// From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+    /// </summary>
+    /// <returns>A configured <see cref="CredentiallessDirectiveBuilder"/></returns>
+    public CredentiallessDirectiveBuilder Credentialless() => AddDirective(new CredentiallessDirectiveBuilder());
 }
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs
@@ -63,4 +63,27 @@ public void Build_AddRequireCorp_WithReportEndpoint_AddsValue()
 
         result.ConstantValue.Should().Be("require-corp; report-to=\"default\"");
     }
+
+    [Fact]
+    public void Build_AddCredentialless_AddsValue()
+    {
+        var builder = new CrossOriginEmbedderPolicyBuilder();
+        builder.Credentialless();
+
+        var result = builder.Build();
+
+        result.ConstantValue.Should().Be("credentialless");
+    }
+
+    [Fact]
+    public void Build_AddCredentialless_WithReportEndpoint_AddsValue()
+    {
+        var builder = new CrossOriginEmbedderPolicyBuilder();
+        builder.Credentialless();
+        builder.AddReport().To("default");
+
+        var result = builder.Build();
+
+        result.ConstantValue.Should().Be("credentialless; report-to=\"default\"");
+    }
 }