Skip to content

Commit

Permalink
Feature/cross origin embedder policy (#164)
Browse files Browse the repository at this point in the history 
* Added support for Cross-Origin-Embedder-Policy (COEP) header.

* Added documentation page for Cross-Origin-Embedder-Policy (COEP) header

* Fixed typo in Cross-Origin-Opener-Policy (COOP)

* Minor version bump

* Ran solution-wide formatting fix

* Added check mark for COEP header in the Included Headers section of docs

* Added all headers (as of 9.7.1) to the Readme files

* Updated the repo root level changelog

* Updated the docs level changelog

---------

Co-authored-by: Jamie Taylor <jamie.taylor@rjj-software.co.uk>
  • Loading branch information
@GaProgMan @jamie-taylor-rjj
GaProgMan and jamie-taylor-rjj authored Dec 30, 2024
1 parent cc7b291 commit 1a8e56f
Show file tree
Hide file tree
Showing 18 changed files with 341 additions and 51 deletions.
20 changes: 11 additions & 9 deletions README-NuGet.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,17 @@ This will add a number of default HTTP headers to all responses from your server
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)

```http
cache-control: max-age=31536000,private
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
strict-transport-security: max-age=31536000;includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none;
x-xss-protection: 0
strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: same-require-corp
x-xss-protection: 0
```

Please note: The above example contains only the headers added by the Middleware.
Expand Down
20 changes: 11 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,17 @@ This will add a number of default HTTP headers to all responses from your server
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)

```http
cache-control: max-age=31536000,private
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
strict-transport-security: max-age=31536000;includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none;
x-xss-protection: 0
strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: same-require-corp
x-xss-protection: 0
```

Please note: The above example contains only the headers added by the Middleware.
Expand Down
26 changes: 15 additions & 11 deletions changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,28 @@ This changelog represents all the major (i.e. breaking) changes made to the Owas

## TL;DR

| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |
| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |

### Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

#### Verison 9.7.x

This version saw the addition of both the [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/) (COEP) and [Cross-Origin-Embedder-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Embedder-Policy/) (COEP) headers; bringing the total number of supported headers to 83% complete (or 10 of the 12 recommended headers and values).

#### Version 9.6.x

This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
Expand Down
32 changes: 15 additions & 17 deletions docs/changelog.md
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,31 @@
---
title: Changelog
layout: page
nav_order: 7
---

# Changelog

This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.

## TL;DR

| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |
| Major Version Number | Changes |
|----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers |
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> uses .NET Standard 2.0 <br /> Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 2.0 |
| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |

### Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

#### Verison 9.7.x

This version saw the addition of both the [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/) (COEP) and [Cross-Origin-Embedder-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Embedder-Policy/) (COEP) headers; bringing the total number of supported headers to 83% complete (or 10 of the 12 recommended headers and values).

#### Version 9.6.x

This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
Expand Down
53 changes: 53 additions & 0 deletions docs/configuration/Cross-Origin-Embedder-Policy.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
title: Cross-Origin-Opener-Policy
nav_order: 10
parent: Configuration
layout: page
---

The Mozilla Developer Network describes the Cross-Origin-Embedder-Policy (COEP) header like this:

{: .quote }
> The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document.
>
> source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
A COEP header can be added in one of two ways, either using the default middleware options:

```csharp
app.UseSecureHeadersMiddleware();
```

The above adds the COEP header with a `require-corp` value.

Or by creating an instance of the `SecureHeadersMiddlewareBuilder` class using the following code:

```csharp
var customConfig = SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseCrossOriginResourcePolicy()
.UseCrossOriginEmbedderPolicy()
.Build();

app.UseSecureHeadersMiddleware(customConfig);
```

{: .warning }
> It is important to note that the recommended value for this header requires the presence of the
> [Cross-Origin-Resource-Policy (CORP) header](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Resource-Policy/)
> in order to work.
> As such, if you add the COEP header without the CORP header, OwaspHeaders.Core will raise an ArgumentException.
The above adds the COEP header with a `require-corp` value.

## Full Options

The COEP header object (known internally as `CrossOriginEmbedderPolicy`) has the following options:

- enum: `CrossOriginEmbedderOptions`

The values available for the `CrossOriginEmbedderOptions` enum are:

- `UnsafeNoneValue`
- `RequireCorp`

4 changes: 2 additions & 2 deletions docs/configuration/Cross-Origin-Opener-Policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ The COOP header object (known internally as `CrossOriginOpenerPolicy`) has the f

The values available for the `CrossOriginOpenerOptions` enum are:

- `CrossOrigin`
- `SameSite`
- `UnsafeNone`
- `SameOriginAllowPopups`
- `SameOrigin`

2 changes: 1 addition & 1 deletion docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ The following list displays the status of all the current (as of Dec 27th, 2024)
- [] [Cache-Control](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cache-Control/)
- [] Clear-Site-Data
- [] [Cross-Origin-Opener-Policy](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Cross-Origin-Opener-Policy/)
- [ ] Cross-Origin-Embedder-Policy
- [ ] Cross-Origin-Embedder-Policy
- [] Permissions-Policy

Key:
Expand Down
3 changes: 3 additions & 0 deletions src/Constants.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,8 @@ public static class Constants
public const string ExpectCtHeaderName = "Expect-CT";

public const string CrossOriginResourcePolicyHeaderName = "Cross-Origin-Resource-Policy";

public const string CrossOriginOpenerPolicyHeaderName = "Cross-Origin-Opener-Policy";

public const string CrossOriginEmbedderPolicyHeaderName = "Cross-Origin-Embedder-Policy";
}
Loading

0 comments on commit 1a8e56f

Please sign in to comment.