Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy Frame Ancestors builder doesn't allow multiple URIs in single call #178

Closed
JackGilmore opened this issue Sep 9, 2024 · 3 comments · Fixed by #179
Closed

Content Security Policy Frame Ancestors builder doesn't allow multiple URIs in single call #178

JackGilmore opened this issue Sep 9, 2024 · 3 comments · Fixed by #179

Comments

@JackGilmore
Copy link

When using CspBuilder during calling AddContentSecurityPolicy() for creating a HeaderPolicyCollection, the builder allows you to pass in an IEnumerable<string> with multiple URIs e.g.

var uris = ["https://example.com", "https://example2.com"];

var policyCollection = new HeaderPolicyCollection()
        .AddContentSecurityPolicy(builder =>
        {
           builder.AddFrameSrc().From(uris);
        });

This doesn't seem to be the case as the .From() method for AddFrameAncestors() only appears to support a single string URI e.g.

var uris = ["https://example.com", "https://example2.com"];

var policyCollection = new HeaderPolicyCollection()
        .AddContentSecurityPolicy(builder =>
        {
           builder.AddFrameAncestors().From("https://example.com").From("https://example2.com");
        });

Is this an intentional design or is it possible to make AddFrameAncestors().From() support an IEnumerable<string> also?
andrewlock added a commit that referenced this issue Sep 9, 2024
@andrewlock
Allow adding multiple uris to CSP builder AddFrameAncestors()
706ad12 
`AddFrameAncestors()` derives from `CspDirectiveBuilderBase` rather than `CspDirectiveBuilder`, so the normal extensions don't apply

Fixes #178
@andrewlock andrewlock mentioned this issue Sep 9, 2024
Merged
@andrewlock
Copy link
Owner

Hey @JackGilmore, yeah this is just a quirk - the FrameAncestorsDirectiveBuilder derives from CspDirectiveBuilderBase rather than CspDirectiveBuilder because it has slightly different allowed sources. I've created a PR to add the same method directly to the FrameAncestorsDirectiveBuilder - I think it makes sense, thanks!

andrewlock added a commit that referenced this issue Sep 9, 2024
@andrewlock
Allow adding multiple uris to CSP builder AddFrameAncestors() (#179)
cbfcd1b 
`AddFrameAncestors()` derives from `CspDirectiveBuilderBase` rather than `CspDirectiveBuilder`, so the normal extensions don't apply

Fixes #178
@JackGilmore
Copy link
Author

Awesome! Thanks for turning this around so quickly :) Would it be possible for you to publish a new version of your nuget package so I can pull this down to use with my app?

@andrewlock
Copy link
Owner

Just pushed out a new version which contains this, v0.24.0!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@andrewlock @JackGilmore