LMBQ-267: Adding ContentSecurityPolicyProviders for embedded media and external login providers, ReCaptcha, Google Analytics

Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md

@@ -5,6 +5,7 @@
 - `ApplicationBuilderExtensions`: Contains the `AddContentSecurityPolicyHeader` extension method to add a middleware that provides the `Content-Security-Policy` header.
 - `CdnContentSecurityPolicyProvider`: An optional policy provider that permits additional CDN host names for the `script-scr` and `style-src` directives.
 - `ContentSecurityPolicyDirectives`: The `Content-Security-Policy` directive names that are defined in the W3C [recommendation](https://www.w3.org/TR/CSP2/#directives) and some common values.
+- `EmbeddedMediaContentSecurityPolicyProvider`: An optional policy provider that permits additional host names used by usual media embedding sources (like YouTube) for the `frame-scr` directive.
 - `IContentSecurityPolicyProvider`: Interface for services that update the dictionary that will be turned into the `Content-Security-Policy` header value.
 - `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection.
 

Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs

@@ -25,7 +25,7 @@ public static class ApplicationBuilderExtensions
  /// </param>
  /// <param name="allowInlineStyle">
  /// If <see langword="true"/> then inline styles are permitted. Note that even if your site has no embedded style
- /// blocks and no style attributes, some Javascript libraries may still create some from code.
+ /// blocks and no style attributes, some JavaScript libraries may still create some from code.
  /// </param>
  [SuppressMessage(
  "Critical Code Smell",

Lombiq.HelpfulLibraries.AspNetCore/Security/CdnContentSecurityPolicyProvider.cs

@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Http;
-using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
@@ -16,77 +15,79 @@ namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
 public class CdnContentSecurityPolicyProvider : IContentSecurityPolicyProvider
 {
  /// <summary>
- /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="StyleSrc"/> directive.
+ /// Gets the sources that will be added to the <see cref="StyleSrc"/> directive.
  /// </summary>
- public static ConcurrentBag<Uri> PermittedStyleSources { get; } = new(new[]
+ public static ConcurrentBag<string> PermittedStyleSources { get; } = new(new[]
  {
- new Uri("https://fonts.googleapis.com/css"),
- new Uri("https://fonts.gstatic.com/"),
- new Uri("https://cdn.jsdelivr.net/npm"),
- new Uri("https://fastly.jsdelivr.net/npm"),
- new Uri("https://cdnjs.cloudflare.com/"),
- new Uri("https://maxcdn.bootstrapcdn.com/"),
+ "fonts.googleapis.com",
+ "fonts.gstatic.com", // #spell-check-ignore-line
+ "cdn.jsdelivr.net", // #spell-check-ignore-line
+ "fastly.jsdelivr.net", // #spell-check-ignore-line
+ "cdnjs.cloudflare.com", // #spell-check-ignore-line
+ "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line
  });
 
  /// <summary>
- /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="ScriptSrc"/> directive.
+ /// Gets the sources that will be added to the <see cref="ScriptSrc"/> directive.
  /// </summary>
- public static ConcurrentBag<Uri> PermittedScriptSources { get; } = new(new[]
+ public static ConcurrentBag<string> PermittedScriptSources { get; } = new(new[]
  {
- new Uri("https://cdn.jsdelivr.net/npm"),
- new Uri("https://code.jquery.com/"),
- new Uri("https://fastly.jsdelivr.net/npm"),
- new Uri("https://cdnjs.cloudflare.com/"),
- new Uri("https://maxcdn.bootstrapcdn.com/"),
+ "cdn.jsdelivr.net", // #spell-check-ignore-line
+ "cdnjs.cloudflare.com", // #spell-check-ignore-line
+ "code.jquery.com",
+ "fastly.jsdelivr.net", // #spell-check-ignore-line
+ "maxcdn.bootstrapcdn.com", // #spell-check-ignore-line
  });
 
  /// <summary>
- /// Gets the URLs whose <see cref="Uri.Host"/> will be added to the <see cref="FontSrc"/> directive.
+ /// Gets the sources that will be added to the <see cref="FontSrc"/> directive.
  /// </summary>
- public static ConcurrentBag<Uri> PermittedFontSources { get; } = new(new[]
+ public static ConcurrentBag<string> PermittedFontSources { get; } = new(new[]
  {
- new Uri("https://fonts.googleapis.com/"),
- new Uri("https://fonts.gstatic.com/"),
+ "cdn.jsdelivr.net", // #spell-check-ignore-line
+ "fonts.googleapis.com",
+ "fonts.gstatic.com", // #spell-check-ignore-line
  });
 
+ /// <summary>
+ /// Gets the sources that will be added to the <see cref="FrameSrc"/> directive.
+ /// </summary>
+ public static ConcurrentBag<string> PermittedFrameSources { get; } = [];
+
  public ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
  {
  var any = false;
 
  if (!PermittedStyleSources.IsEmpty)
  {
  any = true;
- MergeValues(securityPolicies, StyleSrc, PermittedStyleSources);
+ CspHelper.MergeValues(securityPolicies, StyleSrc, PermittedStyleSources);
  }
 
  if (!PermittedScriptSources.IsEmpty)
  {
  any = true;
- MergeValues(securityPolicies, ScriptSrc, PermittedScriptSources);
+ CspHelper.MergeValues(securityPolicies, ScriptSrc, PermittedScriptSources);
  }
 
  if (!PermittedFontSources.IsEmpty)
  {
  any = true;
- MergeValues(securityPolicies, FontSrc, PermittedFontSources);
+ CspHelper.MergeValues(securityPolicies, FontSrc, PermittedFontSources);
+ }
+
+ if (!PermittedFrameSources.IsEmpty)
+ {
+ any = true;
+ CspHelper.MergeValues(securityPolicies, FrameSrc, PermittedFrameSources);
  }
 
  if (any)
  {
  var allPermittedSources = PermittedStyleSources.Concat(PermittedScriptSources).Concat(PermittedFontSources);
- MergeValues(securityPolicies, ConnectSrc, allPermittedSources);
+ CspHelper.MergeValues(securityPolicies, ConnectSrc, allPermittedSources);
  }
 
  return ValueTask.CompletedTask;
  }
-
- private static void MergeValues(IDictionary<string, string> policies, string key, IEnumerable<Uri> sources)
- {
- var directiveValue = policies.GetMaybe(key) ?? policies.GetMaybe(DefaultSrc) ?? string.Empty;
-
- policies[key] = string.Join(' ', directiveValue
- .Split(' ')
- .Union(sources.Select(uri => uri.Host))
- .Distinct());
- }
 }

Lombiq.HelpfulLibraries.AspNetCore/Security/CspHelper.cs

@@ -0,0 +1,20 @@
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
+
+public static class CspHelper
+{
+ public static void MergeValues(IDictionary<string, string> policies, string key, params string[] sources) =>
+ MergeValues(policies, key, (IEnumerable<string>)sources);
+
+ public static void MergeValues(IDictionary<string, string> policies, string key, IEnumerable<string> sources)
+ {
+ var directiveValue = policies.GetMaybe(key) ?? policies.GetMaybe(ContentSecurityPolicyDirectives.DefaultSrc) ?? string.Empty;
+
+ policies[key] = string.Join(' ', directiveValue
+ .Split(' ')
+ .Union(sources)
+ .Distinct());
+ }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/EmbeddedMediaContentSecurityPolicyProvider.cs

@@ -0,0 +1,33 @@
+using Microsoft.AspNetCore.Http;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.AspNetCore.Security;
+
+/// <summary>
+/// A content security policy directive provider that provides additional permitted host names used by usual media
+/// embedding sources (like YouTube) for <see cref="FrameSrc"/>.
+/// </summary>
+public class EmbeddedMediaContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+ /// <summary>
+ /// Gets the sources that will be added to the <see cref="FrameSrc"/> directive.
+ /// </summary>
+ public static ConcurrentBag<string> PermittedFrameSources { get; } = new(new[]
+ {
+ "www.youtube.com/",
+ "www.youtube-nocookie.com/",
+ });
+
+ public ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+ {
+ if (!PermittedFrameSources.IsEmpty)
+ {
+ CspHelper.MergeValues(securityPolicies, FrameSrc, PermittedFrameSources);
+ }
+
+ return ValueTask.CompletedTask;
+ }
+}

Lombiq.HelpfulLibraries.AspNetCore/Security/IContentSecurityPolicyProvider.cs

@@ -1,4 +1,4 @@
-using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using System;
 using System.Collections.Generic;
@@ -46,7 +46,7 @@ public static class ContentSecurityPolicyProvider
  public static string GetDirective(IDictionary<string, string> securityPolicies, params string[] names) =>
  GetDirective(securityPolicies, names.AsEnumerable());
 
- /// <inheritdoc cref="GetDirective(System.Collections.Generic.IDictionary{string,string},string[])"/>
+ /// <inheritdoc cref="GetDirective(IDictionary{string,string},string[])"/>
  public static string GetDirective(IDictionary<string, string> securityPolicies, IEnumerable<string> names)
  {
  foreach (var name in names)

Lombiq.HelpfulLibraries.OrchardCore/Docs/Environment.md

@@ -2,4 +2,6 @@
 
 ## Extensions
 
+- `FeatureInfoEnumerableExtensions`: Shortcuts for `IEnumerable<IFeatureInfo>`, like `Any(featureId)`.
 - `OrchardCoreBuilderExtensions`: Shortcuts that can be used when initializing Orchard with `OrchardCoreBuilder`, e.g. `AddOrchardCms()`.
+- `ShellFeaturesManagerExtensions`: Shortcuts for `IShellFeaturesManager`, like `IsFeatureEnabledAsync()`.

Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md

@@ -14,5 +14,8 @@ These extensions provide additional security and can resolve issues reported by
 
 ## Services
 
+- `ExternalLoginContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using external login providers that require special headers (like Microsoft login). Is automatically enabled when the affected features are enabled.
+- `GoogleAnalyticsContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using Google Analytics tracking. Is automatically enabled when the `OrchardCore.Google.Analytics` feature is enabled or the provider is explicitly enabled for the current request via is `static` method.
+- `ReCaptchaContentSecurityPolicyProvider`: Provides various directives for the `Content-Security-Policy` header, allowing using ReCaptcha captchas. Is automatically enabled when the `OrchardCore.ReCaptcha` feature is enabled.
 - `ResourceManagerContentSecurityPolicyProvider`: An abstract base class for implementing content security policy providers that trigger when the specified resource is included.
 - `VueContentSecurityPolicyProvider`: An implementation of `ResourceManagerContentSecurityPolicyProvider` that adds `script-src: unsafe-eval` permission to the page if it uses the `vuejs` resource. This includes any Vue.js app in stock Orchard Core, apps you create in your view files, and SFCs created with the Lombiq.VueJs module. This is necessary, because without `unsafe-eval` Vue.js only supports templates that are pre-compiled into JS code.

Lombiq.HelpfulLibraries.OrchardCore/Environment/FeatureInfoEnumerableExtensions.cs

@@ -0,0 +1,18 @@
+using OrchardCore.Environment.Extensions.Features;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace OrchardCore.Environment.Shell;
+
+/// <summary>
+/// Shortcuts for <see cref="IEnumerable{IFeatureInfo}"/>.
+/// </summary>
+public static class FeatureInfoEnumerableExtensions
+{
+ /// <summary>
+ /// Checks whether the given <see cref="IEnumerable{IFeatureInfo}"/> contains a feature with the given technical ID.
+ /// </summary>
+ /// <param name="featureId">Technical ID of the module feature.</param>
+ public static bool Any(this IEnumerable<IFeatureInfo> featureInfos, string featureId) =>
+ featureInfos.Any(feature => feature.Id == featureId);
+}

Lombiq.HelpfulLibraries.OrchardCore/Environment/ShellFeaturesManagerExtensions.cs

@@ -0,0 +1,16 @@
+using System.Threading.Tasks;
+
+namespace OrchardCore.Environment.Shell;
+
+/// <summary>
+/// Shortcuts for <see cref="IShellFeaturesManager"/>.
+/// </summary>
+public static class ShellFeaturesManagerExtensions
+{
+ /// <summary>
+ /// Checks whether the given module feature is enabled for the current shell.
+ /// </summary>
+ /// <param name="featureId">Technical ID of the module feature.</param>
+ public static async Task<bool> IsFeatureEnabledAsync(this IShellFeaturesManager shellFeaturesManager, string featureId) =>
+ (await shellFeaturesManager.GetEnabledFeaturesAsync()).Any(featureId);
+}

Lombiq.HelpfulLibraries.OrchardCore/Security/ExternalLoginContentSecurityPolicyProvider.cs

@@ -0,0 +1,30 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using OrchardCore.Environment.Shell;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.OrchardCore.Security;
+
+internal sealed class ExternalLoginContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+ public async ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+ {
+ var shellFeaturesManager = context.RequestServices.GetRequiredService<IShellFeaturesManager>();
+ var enabledFeatures = await shellFeaturesManager.GetEnabledFeaturesAsync();
+
+ if (enabledFeatures.Any("OrchardCore.Microsoft.Authentication.AzureAD"))
+ {
+ CspHelper.MergeValues(securityPolicies, FormAction, "login.microsoftonline.com"); // #spell-check-ignore-line
+ }
+
+ if (enabledFeatures.Any("OrchardCore.GitHub.Authentication"))
+ {
+ CspHelper.MergeValues(securityPolicies, FormAction, "github.com");
+ }
+ }
+}

Lombiq.HelpfulLibraries.OrchardCore/Security/GoogleAnalyticsContentSecurityPolicyProvider.cs

@@ -0,0 +1,33 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using OrchardCore.Environment.Shell;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.OrchardCore.Security;
+
+public class GoogleAnalyticsContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+ private const string HttpContextItemKey = nameof(GoogleAnalyticsContentSecurityPolicyProvider);
+
+ public async ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+ {
+ var googleAnalyticsIsEnabled = context.Items.ContainsKey(HttpContextItemKey);
+
+ if (!googleAnalyticsIsEnabled)
+ {
+ var shellFeaturesManager = context.RequestServices.GetRequiredService<IShellFeaturesManager>();
+ googleAnalyticsIsEnabled = await shellFeaturesManager.IsFeatureEnabledAsync("OrchardCore.Google.Analytics");
+ }
+
+ if (googleAnalyticsIsEnabled)
+ {
+ CspHelper.MergeValues(securityPolicies, ScriptSrc, "www.googletagmanager.com");
+ }
+ }
+
+ public static void EnableForCurrentRequest(HttpContext context) => context.Items[HttpContextItemKey] = "enabled";
+}

Lombiq.HelpfulLibraries.OrchardCore/Security/ReCaptchaContentSecurityPolicyProvider.cs

@@ -0,0 +1,24 @@
+using Lombiq.HelpfulLibraries.AspNetCore.Security;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using OrchardCore.Environment.Shell;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+using static Lombiq.HelpfulLibraries.AspNetCore.Security.ContentSecurityPolicyDirectives;
+
+namespace Lombiq.HelpfulLibraries.OrchardCore.Security;
+
+internal sealed class ReCaptchaContentSecurityPolicyProvider : IContentSecurityPolicyProvider
+{
+ public async ValueTask UpdateAsync(IDictionary<string, string> securityPolicies, HttpContext context)
+ {
+ var shellFeaturesManager = context.RequestServices.GetRequiredService<IShellFeaturesManager>();
+
+ if (await shellFeaturesManager.IsFeatureEnabledAsync("OrchardCore.ReCaptcha"))
+ {
+ CspHelper.MergeValues(securityPolicies, ScriptSrc, "www.google.com", "www.gstatic.com");
+ CspHelper.MergeValues(securityPolicies, FrameSrc, "www.google.com");
+ }
+ }
+}