Cleanup

Tim-Maes · Tim-Maes · commit f2906912c35c · 2025-07-10T08:30:25.000+02:00
diff --git a/src/BlazorFrame/Services/CspBuilderService.cs b/src/BlazorFrame/Services/CspBuilderService.cs
@@ -45,19 +45,14 @@ public CspHeader BuildCspHeader(CspOptions options, IEnumerable<string>? iframeS
     {
         var directives = new Dictionary<string, List<string>>();
         
-        // Handle frame-src and child-src directives
         BuildFrameDirectives(directives, options, iframeSources);
         
-        // Handle script-src directive
         BuildScriptDirectives(directives, options);
         
-        // Handle frame-ancestors directive
         BuildFrameAncestorsDirectives(directives, options);
         
-        // Add custom directives
         AddCustomDirectives(directives, options);
         
-        // Build the CSP header value
         var headerValue = BuildHeaderValue(directives, options);
         
         var headerName = options.ReportOnly 
@@ -138,7 +133,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)
         var errors = new List<string>();
         var suggestions = new List<string>();
 
-        // Check for unsafe practices
         if (options.AllowInlineScripts)
         {
             warnings.Add("Using 'unsafe-inline' in script-src reduces security. Consider using nonces or strict-dynamic.");
@@ -149,13 +143,11 @@ public CspValidationResult ValidateCspOptions(CspOptions options)
             warnings.Add("Using 'unsafe-eval' in script-src can enable code injection attacks.");
         }
 
-        // Check for missing essential directives
         if (options.FrameSrc.Count == 0 && options.ChildSrc.Count == 0 && options.AutoDeriveFrameSrc == false)
         {
             suggestions.Add("Consider adding frame-src or child-src directives to control iframe sources.");
         }
 
-        // Check for nonce usage
         if (!string.IsNullOrEmpty(options.ScriptNonce))
         {
             if (options.AllowInlineScripts)
@@ -164,7 +156,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)
             }
         }
 
-        // Check for strict-dynamic usage
         if (options.UseStrictDynamic)
         {
             if (options.AllowInlineScripts || options.AllowEval)
@@ -173,7 +164,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)
             }
         }
 
-        // Check for report-only mode
         if (options.ReportOnly && string.IsNullOrEmpty(options.ReportUri))
         {
             suggestions.Add("Consider adding a report-uri when using report-only mode to collect violation reports.");
@@ -252,23 +242,20 @@ private void BuildFrameDirectives(Dictionary<string, List<string>> directives, C
     {
         var frameSources = new List<string>();
         
-        // Add explicitly configured frame sources
         frameSources.AddRange(options.FrameSrc);
         
-        // Auto-derive from iframe sources if enabled
         if (options.AutoDeriveFrameSrc && iframeSources != null)
         {
             var derivedOrigins = ExtractValidOrigins(iframeSources);
             frameSources.AddRange(derivedOrigins);
         }
         
-        // Remove duplicates and add to directives
         if (frameSources.Count > 0)
         {
             directives["frame-src"] = frameSources.Distinct().ToList();
         }
         
-        // Handle child-src (fallback for older browsers)
+        // fallback for older browsers
         if (options.ChildSrc.Count > 0)
         {
             directives["child-src"] = options.ChildSrc.Distinct().ToList();
@@ -279,25 +266,21 @@ private void BuildScriptDirectives(Dictionary<string, List<string>> directives,
     {
         var scriptSources = new List<string>(options.ScriptSrc);
         
-        // Add nonce if specified
         if (!string.IsNullOrEmpty(options.ScriptNonce))
         {
             scriptSources.Add($"'nonce-{options.ScriptNonce}'");
         }
         
-        // Add unsafe-inline if allowed
         if (options.AllowInlineScripts)
         {
             scriptSources.Add(Sources.UnsafeInline);
         }
         
-        // Add unsafe-eval if allowed
         if (options.AllowEval)
         {
             scriptSources.Add(Sources.UnsafeEval);
         }
         
-        // Add strict-dynamic if enabled
         if (options.UseStrictDynamic)
         {
             scriptSources.Add(Sources.StrictDynamic);
@@ -348,7 +331,6 @@ private string BuildHeaderValue(Dictionary<string, List<string>> directives, Csp
             }
         }
         
-        // Add report-uri if specified
         if (!string.IsNullOrEmpty(options.ReportUri))
         {
             if (sb.Length > 0)
diff --git a/src/BlazorFrame/Services/MessageValidationService.cs b/src/BlazorFrame/Services/MessageValidationService.cs
@@ -41,7 +41,6 @@ public IframeMessage ValidateMessage(
                 $"Message size ({messageJson.Length} bytes) exceeds maximum allowed size ({options.MaxMessageSize} bytes)");
         }
 
-        // Check for potentially malicious content
         if (ContainsSuspiciousContent(messageJson))
         {
             return CreateInvalidMessage(origin, messageJson, "Message contains potentially malicious content");

Original file line number	Diff line number	Diff line change
`@@ -45,19 +45,14 @@ public CspHeader BuildCspHeader(CspOptions options, IEnumerable<string>? iframeS`
`45`	`45`	`{`
`46`	`46`	`var directives = new Dictionary<string, List<string>>();`
`47`	`47`
`48`		`- // Handle frame-src and child-src directives`
`49`	`48`	`BuildFrameDirectives(directives, options, iframeSources);`
`50`	`49`
`51`		`- // Handle script-src directive`
`52`	`50`	`BuildScriptDirectives(directives, options);`
`53`	`51`
`54`		`- // Handle frame-ancestors directive`
`55`	`52`	`BuildFrameAncestorsDirectives(directives, options);`
`56`	`53`
`57`		`- // Add custom directives`
`58`	`54`	`AddCustomDirectives(directives, options);`
`59`	`55`
`60`		`- // Build the CSP header value`
`61`	`56`	`var headerValue = BuildHeaderValue(directives, options);`
`62`	`57`
`63`	`58`	`var headerName = options.ReportOnly`
`@@ -138,7 +133,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)`
`138`	`133`	`var errors = new List<string>();`
`139`	`134`	`var suggestions = new List<string>();`
`140`	`135`
`141`		`- // Check for unsafe practices`
`142`	`136`	`if (options.AllowInlineScripts)`
`143`	`137`	`{`
`144`	`138`	`warnings.Add("Using 'unsafe-inline' in script-src reduces security. Consider using nonces or strict-dynamic.");`
`@@ -149,13 +143,11 @@ public CspValidationResult ValidateCspOptions(CspOptions options)`
`149`	`143`	`warnings.Add("Using 'unsafe-eval' in script-src can enable code injection attacks.");`
`150`	`144`	`}`
`151`	`145`
`152`		`- // Check for missing essential directives`
`153`	`146`	`if (options.FrameSrc.Count == 0 && options.ChildSrc.Count == 0 && options.AutoDeriveFrameSrc == false)`
`154`	`147`	`{`
`155`	`148`	`suggestions.Add("Consider adding frame-src or child-src directives to control iframe sources.");`
`156`	`149`	`}`
`157`	`150`
`158`		`- // Check for nonce usage`
`159`	`151`	`if (!string.IsNullOrEmpty(options.ScriptNonce))`
`160`	`152`	`{`
`161`	`153`	`if (options.AllowInlineScripts)`
`@@ -164,7 +156,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)`
`164`	`156`	`}`
`165`	`157`	`}`
`166`	`158`
`167`		`- // Check for strict-dynamic usage`
`168`	`159`	`if (options.UseStrictDynamic)`
`169`	`160`	`{`
`170`	`161`	`if (options.AllowInlineScripts \|\| options.AllowEval)`
`@@ -173,7 +164,6 @@ public CspValidationResult ValidateCspOptions(CspOptions options)`
`173`	`164`	`}`
`174`	`165`	`}`
`175`	`166`
`176`		`- // Check for report-only mode`
`177`	`167`	`if (options.ReportOnly && string.IsNullOrEmpty(options.ReportUri))`
`178`	`168`	`{`
`179`	`169`	`suggestions.Add("Consider adding a report-uri when using report-only mode to collect violation reports.");`
`@@ -252,23 +242,20 @@ private void BuildFrameDirectives(Dictionary<string, List<string>> directives, C`
`252`	`242`	`{`
`253`	`243`	`var frameSources = new List<string>();`
`254`	`244`
`255`		`- // Add explicitly configured frame sources`
`256`	`245`	`frameSources.AddRange(options.FrameSrc);`
`257`	`246`
`258`		`- // Auto-derive from iframe sources if enabled`
`259`	`247`	`if (options.AutoDeriveFrameSrc && iframeSources != null)`
`260`	`248`	`{`
`261`	`249`	`var derivedOrigins = ExtractValidOrigins(iframeSources);`
`262`	`250`	`frameSources.AddRange(derivedOrigins);`
`263`	`251`	`}`
`264`	`252`
`265`		`- // Remove duplicates and add to directives`
`266`	`253`	`if (frameSources.Count > 0)`
`267`	`254`	`{`
`268`	`255`	`directives["frame-src"] = frameSources.Distinct().ToList();`
`269`	`256`	`}`
`270`	`257`
`271`		`- // Handle child-src (fallback for older browsers)`
	`258`	`+ // fallback for older browsers`
`272`	`259`	`if (options.ChildSrc.Count > 0)`
`273`	`260`	`{`
`274`	`261`	`directives["child-src"] = options.ChildSrc.Distinct().ToList();`
`@@ -279,25 +266,21 @@ private void BuildScriptDirectives(Dictionary<string, List<string>> directives,`
`279`	`266`	`{`
`280`	`267`	`var scriptSources = new List<string>(options.ScriptSrc);`
`281`	`268`
`282`		`- // Add nonce if specified`
`283`	`269`	`if (!string.IsNullOrEmpty(options.ScriptNonce))`
`284`	`270`	`{`
`285`	`271`	`scriptSources.Add($"'nonce-{options.ScriptNonce}'");`
`286`	`272`	`}`
`287`	`273`
`288`		`- // Add unsafe-inline if allowed`
`289`	`274`	`if (options.AllowInlineScripts)`
`290`	`275`	`{`
`291`	`276`	`scriptSources.Add(Sources.UnsafeInline);`
`292`	`277`	`}`
`293`	`278`
`294`		`- // Add unsafe-eval if allowed`
`295`	`279`	`if (options.AllowEval)`
`296`	`280`	`{`
`297`	`281`	`scriptSources.Add(Sources.UnsafeEval);`
`298`	`282`	`}`
`299`	`283`
`300`		`- // Add strict-dynamic if enabled`
`301`	`284`	`if (options.UseStrictDynamic)`
`302`	`285`	`{`
`303`	`286`	`scriptSources.Add(Sources.StrictDynamic);`
`@@ -348,7 +331,6 @@ private string BuildHeaderValue(Dictionary<string, List<string>> directives, Csp`
`348`	`331`	`}`
`349`	`332`	`}`
`350`	`333`
`351`		`- // Add report-uri if specified`
`352`	`334`	`if (!string.IsNullOrEmpty(options.ReportUri))`
`353`	`335`	`{`
`354`	`336`	`if (sb.Length > 0)`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ public IframeMessage ValidateMessage(`
`41`	`41`	`$"Message size ({messageJson.Length} bytes) exceeds maximum allowed size ({options.MaxMessageSize} bytes)");`
`42`	`42`	`}`
`43`	`43`
`44`		`- // Check for potentially malicious content`
`45`	`44`	`if (ContainsSuspiciousContent(messageJson))`
`46`	`45`	`{`
`47`	`46`	`return CreateInvalidMessage(origin, messageJson, "Message contains potentially malicious content");`