From 97e3c4a7f3ba3fa150ee4d3a7e50338b0e81d0bc Mon Sep 17 00:00:00 2001
From: miguelcrpinto <miguelcrpinto@outlook.com>
Date: Thu, 18 May 2023 22:46:56 +0200
Subject: [PATCH 1/3] Implemented Cross-Origin-Resource-Policy response header

---
 src/Constants.cs                              |  2 +
 .../SecureHeadersMiddlewareBuilder.cs         | 17 +++++
 .../SecureHeadersMiddlewareExtensions.cs      |  1 +
 src/Models/CrossOriginResourcePolicy.cs       | 67 +++++++++++++++++++
 .../SecureHeadersMiddlewareConfiguration.cs   |  7 ++
 src/SecureHeadersMiddleware.cs                |  6 ++
 tests/SecureHeadersInjectedTest.cs            | 31 +++++++++
 7 files changed, 131 insertions(+)
 create mode 100644 src/Models/CrossOriginResourcePolicy.cs

diff --git a/src/Constants.cs b/src/Constants.cs
index 61aa50c..d8d5314 100644
--- a/src/Constants.cs
+++ b/src/Constants.cs
@@ -27,5 +27,7 @@ public static class Constants
         public static readonly string PoweredByHeaderName = "X-Powered-By";
 
         public static readonly string ServerHeaderName = "Server";
+
+        public static readonly string CrossOriginResourcePolicyHeaderName = "Cross-Origin-Resource-Policy";
     }
 }
diff --git a/src/Extensions/SecureHeadersMiddlewareBuilder.cs b/src/Extensions/SecureHeadersMiddlewareBuilder.cs
index dbb5722..fffbc6a 100644
--- a/src/Extensions/SecureHeadersMiddlewareBuilder.cs
+++ b/src/Extensions/SecureHeadersMiddlewareBuilder.cs
@@ -12,6 +12,7 @@
 using OwaspHeaders.Core.Enums;
 using OwaspHeaders.Core.Helpers;
 using OwaspHeaders.Core.Models;
+using static OwaspHeaders.Core.Models.CrossOriginResourcePolicy;
 
 namespace OwaspHeaders.Core.Extensions
 {
@@ -319,7 +320,23 @@ public static SecureHeadersMiddlewareConfiguration RemovePoweredByHeader
             (this SecureHeadersMiddlewareConfiguration config)
         {
             config.RemoveXPoweredByHeader = true;
+            return config;
+        }
 
+        /// <summary>
+        /// The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser 
+        /// blocks no-cors cross-origin/cross-site requests to the given resource.
+        /// </summary>
+        /// <param name="value">
+        /// The HTTP Cross-Origin-Resource-Policy response header value.
+        /// </param>
+        /// <remarks>
+        /// Defaults to "same-origin" (<see cref="CrossOriginResourceOptions.SameOrigin"/>) which means that "Only requests from the same Origin (i.e. scheme + host + port) can read the resource."
+        ///</remarks>
+        public static SecureHeadersMiddlewareConfiguration UseCrossOriginResourcePolicy(this SecureHeadersMiddlewareConfiguration config, CrossOriginResourceOptions value = CrossOriginResourceOptions.SameOrigin)
+        {
+            config.UseCrossOriginResourcePolicy = true;
+            config.CrossOriginResourcePolicy = new CrossOriginResourcePolicy(value);
             return config;
         }
 
diff --git a/src/Extensions/SecureHeadersMiddlewareExtensions.cs b/src/Extensions/SecureHeadersMiddlewareExtensions.cs
index e686d5e..bdb2be3 100644
--- a/src/Extensions/SecureHeadersMiddlewareExtensions.cs
+++ b/src/Extensions/SecureHeadersMiddlewareExtensions.cs
@@ -33,6 +33,7 @@ public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
                 .UseCacheControl()
                 .RemovePoweredByHeader()
                 .UseXssProtection()
+                .UseCrossOriginResourcePolicy()
                 .Build();
         }
 
diff --git a/src/Models/CrossOriginResourcePolicy.cs b/src/Models/CrossOriginResourcePolicy.cs
new file mode 100644
index 0000000..09b445d
--- /dev/null
+++ b/src/Models/CrossOriginResourcePolicy.cs
@@ -0,0 +1,67 @@
+namespace OwaspHeaders.Core.Models
+{
+    /// <summary>
+    /// Cross-Origin-Resource-Policy
+    /// This response header(also named CORP) allows to define a policy that lets web sites and applications opt in to protection 
+    /// against certain requests from other origins(such as those issued with elements like<script> and <img>), to mitigate speculative 
+    /// side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion(XSSI) attacks(source Mozilla MDN).
+    /// </summary>
+    public class CrossOriginResourcePolicy : IConfigurationBase
+    {
+        /// <summary>
+        /// Only requests from the same Origin (i.e. scheme + host + port) can read the resource.
+        /// </summary>
+        public const string SameOriginValue = "same-origin";
+        /// <summary>
+        /// Only requests from the same Site can read the resource.
+        /// </summary>
+        public const string SameSiteValue = "same-site";
+        /// <summary>
+        /// Requests from any Origin (both same-site and cross-site) can read the resource. 
+        /// Browsers are using this policy when an CORP header is not specified.
+        /// </summary>
+        public const string CrossOriginValue = "same-origin";
+
+        public enum CrossOriginResourceOptions 
+        {
+            /// <summary>
+            /// <see cref="SameOriginValue"/>
+            /// </summary>
+            SameOrigin,
+            /// <summary>
+            /// <see cref="SameSiteValue"/>
+            /// </summary>
+            SameSite,
+            /// <summary>
+            /// <see cref="CrossOriginValue"/>
+            /// </summary>
+            CrossOrigin
+        };
+
+        public CrossOriginResourceOptions OptionValue { get; set; }
+
+        public CrossOriginResourcePolicy(CrossOriginResourceOptions value = CrossOriginResourceOptions.SameOrigin)
+        {
+            OptionValue = value;
+        }
+
+        /// <summary>
+        /// Builds the HTTP header value
+        /// </summary>
+        /// <returns>A string representing the HTTP header value</returns>
+        public string BuildHeaderValue()
+        {
+            switch (OptionValue)
+            {
+                case CrossOriginResourceOptions.CrossOrigin:
+                    return CrossOriginValue;
+                case CrossOriginResourceOptions.SameSite:
+                    return SameSiteValue;
+                case CrossOriginResourceOptions.SameOrigin:
+                default:
+                    return SameOriginValue;
+            }
+        }
+
+    }
+}
diff --git a/src/Models/SecureHeadersMiddlewareConfiguration.cs b/src/Models/SecureHeadersMiddlewareConfiguration.cs
index b56d582..f524de6 100644
--- a/src/Models/SecureHeadersMiddlewareConfiguration.cs
+++ b/src/Models/SecureHeadersMiddlewareConfiguration.cs
@@ -63,6 +63,11 @@ public class SecureHeadersMiddlewareConfiguration
 
         public bool RemoveXPoweredByHeader { get; set; }
 
+        /// <summary>
+        /// Indicates whether the response should use Cross-Origin-Resource-Policy
+        /// </summary>
+        public bool UseCrossOriginResourcePolicy { get; set; }
+
         /// <summary>
         /// The HTTP Strict Transport Security configuration to use
         /// </summary>
@@ -107,5 +112,7 @@ public class SecureHeadersMiddlewareConfiguration
         /// The Expect-CT configuration to use
         /// </summary>
         public ExpectCt ExpectCt { get; set; }
+
+        public CrossOriginResourcePolicy CrossOriginResourcePolicy { get; set; }
     }
 }
diff --git a/src/SecureHeadersMiddleware.cs b/src/SecureHeadersMiddleware.cs
index b4b3af3..deea5a0 100755
--- a/src/SecureHeadersMiddleware.cs
+++ b/src/SecureHeadersMiddleware.cs
@@ -113,6 +113,12 @@ public async Task InvokeAsync(HttpContext httpContext)
                 httpContext.TryRemoveHeader(Constants.ServerHeaderName);
             }
 
+           if(_config.UseCrossOriginResourcePolicy)
+            {
+                httpContext.TryAddHeader(Constants.CrossOriginResourcePolicyHeaderName,
+                    _config.CrossOriginResourcePolicy.BuildHeaderValue());
+            }
+
             // Call the next middleware in the chain
             await _next(httpContext);
         }
diff --git a/tests/SecureHeadersInjectedTest.cs b/tests/SecureHeadersInjectedTest.cs
index f34d13f..e6373b0 100755
--- a/tests/SecureHeadersInjectedTest.cs
+++ b/tests/SecureHeadersInjectedTest.cs
@@ -475,4 +475,35 @@ public async Task Invoke_CacheControl_HeaderIsNotPresent()
         Assert.False(headerNotPresentConfig.UseCacheControl);
         Assert.False(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
     }
+
+    [Fact]
+    public async Task Invoke_CrossOriginResourcePolicyHeaderName_HeaderIsPresent()
+    {
+        // arrange
+        var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseCrossOriginResourcePolicy().Build();
+        var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
+
+        // act
+        await secureHeadersMiddleware.InvokeAsync(_context);
+
+        // assert
+        Assert.True(headerPresentConfig.UseCrossOriginResourcePolicy);
+        Assert.True(_context.Response.Headers.ContainsKey(Constants.CrossOriginResourcePolicyHeaderName));
+        Assert.Equal(CrossOriginResourcePolicy.SameOriginValue, _context.Response.Headers[Constants.CrossOriginResourcePolicyHeaderName]);
+    }
+
+    [Fact]
+    public async Task Invoke_CrossOriginResourcePolicyHeaderName_HeaderIsNotPresent()
+    {
+        // arrange
+        var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
+        var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig);
+
+        // act
+        await secureHeadersMiddleware.InvokeAsync(_context);
+
+        // assert
+        Assert.False(headerNotPresentConfig.UseCrossOriginResourcePolicy);
+        Assert.False(_context.Response.Headers.ContainsKey(Constants.CrossOriginResourcePolicyHeaderName));
+    }
 }

From 031a66769b2f11169131ce88e53b26a24589ad20 Mon Sep 17 00:00:00 2001
From: miguelcrpinto <miguelcrpinto@outlook.com>
Date: Tue, 30 May 2023 21:31:17 +0200
Subject: [PATCH 2/3] Corrected typo in the CrossOriginValue const value

---
 src/Models/CrossOriginResourcePolicy.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Models/CrossOriginResourcePolicy.cs b/src/Models/CrossOriginResourcePolicy.cs
index 09b445d..1c1e4ca 100644
--- a/src/Models/CrossOriginResourcePolicy.cs
+++ b/src/Models/CrossOriginResourcePolicy.cs
@@ -20,7 +20,7 @@ public class CrossOriginResourcePolicy : IConfigurationBase
         /// Requests from any Origin (both same-site and cross-site) can read the resource. 
         /// Browsers are using this policy when an CORP header is not specified.
         /// </summary>
-        public const string CrossOriginValue = "same-origin";
+        public const string CrossOriginValue = "cross-origin";
 
         public enum CrossOriginResourceOptions 
         {

From ddc58cae62bd6fdd53b257ca63bd51a8f916eb68 Mon Sep 17 00:00:00 2001
From: miguelcrpinto <miguelcrpinto@outlook.com>
Date: Tue, 30 May 2023 21:40:28 +0200
Subject: [PATCH 3/3] Bumped the nuget version and updated the changelog to
 include the new feature in version 7

---
 changelog.md                 | 4 ++++
 src/OwaspHeaders.Core.csproj | 2 +-
 src/OwaspHeadersCore.nuspec  | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index e6f1dbf..e335b84 100644
--- a/changelog.md
+++ b/changelog.md
@@ -12,6 +12,10 @@ This changelog represents all of the major (i.e. breaking) changes made to the O
 | 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Core 2.0 |
 | 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class <br /> also uses .NET Standard 1.4 |
 
+### Version 7
+
+This version adds the Cross-Origin-Resource-Policy header with the OWASP recommended value "same-origin" to the list of default headers in the `BuildDefaultConfiguration()` extension method. This was requested via [issue #76](https://github.com/GaProgMan/OwaspHeaders.Core/issues/76). 
+
 ### Version 6
 
 This version removes Expect-CT Header from the list of default headers in the `BuildDefaultConfiguration()` extension method. This is related to [issue #72](https://github.com/GaProgMan/OwaspHeaders.Core/issues/72).
diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
index 7ae864a..36f0fcd 100755
--- a/src/OwaspHeaders.Core.csproj
+++ b/src/OwaspHeaders.Core.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <Description>An ASP.NET Core Middleware which adds the OWASP recommended HTTP headers for enhanced security.</Description>
-    <VersionPrefix>6.1.0</VersionPrefix>
+    <VersionPrefix>7.0.0</VersionPrefix>
     <Authors>Jamie Taylor</Authors>
     <AssemblyName>OwaspHeaders.Core</AssemblyName>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/src/OwaspHeadersCore.nuspec b/src/OwaspHeadersCore.nuspec
index ec288ce..48094ed 100644
--- a/src/OwaspHeadersCore.nuspec
+++ b/src/OwaspHeadersCore.nuspec
@@ -2,7 +2,7 @@
 <package xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <metadata xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
     <id>OwaspHeaders.Core</id>
-    <version>6.1.0</version>
+    <version>7.0.0</version>
     <authors>GaProgMan</authors>
     <owners>GaProgMan</owners>
     <readme>docs\README-NuGet.md</readme>