Add ChildSrc CSP directive (#259)

* Add ChildSrc CSP directive

* Update public API

Author: andrewlock

src/NetEscapades.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ChildSourceDirectiveBuilder.cs

@@ -0,0 +1,16 @@
+namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy;
+
+/// <summary>
+/// The <c>child</c> directive specifies valid sources for web workers and
+/// nested browsing contexts loaded using elements such as &lt;frame&gt; and &lt;iframe&gt;
+/// For workers, non-compliant requests are treated as fatal network errors by the user agent.
+/// </summary>
+public class ChildSourceDirectiveBuilder : CspDirectiveBuilder
+{
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ChildSourceDirectiveBuilder"/> class.
+    /// </summary>
+    public ChildSourceDirectiveBuilder() : base("child-src")
+    {
+    }
+}

src/NetEscapades.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/CspBuilder.cs

@@ -26,6 +26,14 @@ public class CspBuilder
     /// <returns>A configured <see cref="DefaultSourceDirectiveBuilder"/></returns>
     public DefaultSourceDirectiveBuilder AddDefaultSrc() => AddDirective(new DefaultSourceDirectiveBuilder());
 
+    /// <summary>
+    /// The <c>child</c> directive specifies valid sources for web workers and
+    /// nested browsing contexts loaded using elements such as &lt;frame&gt; and &lt;iframe&gt;
+    /// For workers, non-compliant requests are treated as fatal network errors by the user agent.
+    /// </summary>
+    /// <returns>A configured <see cref="ChildSourceDirectiveBuilder"/></returns>
+    public ChildSourceDirectiveBuilder AddChildSrc() => AddDirective(new ChildSourceDirectiveBuilder());
+
     /// <summary>
     /// The <c>connect-src</c> directive restricts the URLs which can be loaded using script interfaces
     /// The APIs that are restricted are:  &lt;a&gt; ping, Fetch, XMLHttpRequest, WebSocket, and EventSource.

test/NetEscapades.AspNetCore.SecurityHeaders.Test/CspBuilderTests.cs

@@ -49,6 +49,15 @@ public void Build_AddDefaultSrc_WhenAddsMultipleValueEnumerable_ReturnsAllValues
         result.ConstantValue.Should().Be("default-src 'self' blob: data: http://testUrl.com http://testUrl2.com");
     }
 
+    [Test]
+    public void Build_AddChildSrc_WhenAddsMultipleValue_ReturnsAllValues()
+    {
+        var builder = new CspBuilder();
+        builder.AddChildSrc().Self().Blob().Data().From("http://testUrl.com");
+        var result = builder.Build();
+        result.ConstantValue.Should().Be("child-src 'self' blob: data: http://testUrl.com");
+    }
+
     [Test]
     public void Build_AddConnectSrc_WhenAddsMultipleValue_ReturnsAllValues()
     {
@@ -384,6 +393,7 @@ public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsFals
     {
         var builder = new CspBuilder();
         builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
+        builder.AddChildSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
@@ -407,6 +417,7 @@ public void Build_ForAllHeaders_WhenUsingNonce_HasPerRequestValuesReturnsTrue()
     {
         var builder = new CspBuilder();
         builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
+        builder.AddChildSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
         builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");

test/NetEscapades.AspNetCore.SecurityHeaders.Test/PublicApiTest.PublicApiHasNotChanged.verified.txt

@@ -54,6 +54,7 @@ namespace Microsoft.AspNetCore.Builder
         public CspBuilder() { }
         public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.BaseUriDirectiveBuilder AddBaseUri() { }
         public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.BlockAllMixedContentDirectiveBuilder AddBlockAllMixedContent() { }
+        public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.ChildSourceDirectiveBuilder AddChildSrc() { }
         public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.ConnectSourceDirectiveBuilder AddConnectSrc() { }
         public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirective AddCustomDirective(string directive) { }
         public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirective AddCustomDirective(string directive, string value) { }
@@ -301,6 +302,10 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy
     {
         public BlockAllMixedContentDirectiveBuilder() { }
     }
+    public class ChildSourceDirectiveBuilder : NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CspDirectiveBuilder
+    {
+        public ChildSourceDirectiveBuilder() { }
+    }
     public class ConnectSourceDirectiveBuilder : NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CspDirectiveBuilder
     {
         public ConnectSourceDirectiveBuilder() { }

test/RazorWebSite/Startup.cs

@@ -35,6 +35,7 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
             {
                 builder.AddUpgradeInsecureRequests();
                 builder.AddDefaultSrc().Self();
+                builder.AddChildSrc().From("*");
                 builder.AddConnectSrc().From("*");
                 builder.AddFontSrc().From("*");
                 builder.AddFrameAncestors().From("*");