X-XSS-Protection

2025-01-18 21:32:27 +01:00 · 2018-07-12 02:23:54 +09:00 · 2018-07-12 02:23:54 +09:00 · 5dd57c8064
commit 5dd57c8064
parent a256dd3277
4 changed files with 34 additions and 6 deletions
--- a/BTCPayServer/Filters/XContentTypeOptionsAttribute.cs
+++ b/BTCPayServer/Filters/XContentTypeOptionsAttribute.cs
@ -19,11 +19,11 @@ namespace BTCPayServer.Filters
        public string Value { get; set; }
        public void OnActionExecuting(ActionExecutingContext context)
        {
-            var existing = context.HttpContext.Response.Headers["x-content-type-options"].FirstOrDefault();
+            var existing = context.HttpContext.Response.Headers["X-Content-Type-Options"].FirstOrDefault();
            if (existing != null && Value == null)
-                context.HttpContext.Response.Headers.Remove("x-content-type-options");
+                context.HttpContext.Response.Headers.Remove("X-Content-Type-Options");
            else
-                context.HttpContext.Response.Headers["x-content-type-options"] = Value;
+                context.HttpContext.Response.Headers["X-Content-Type-Options"] = Value;
        }
    }
 }
--- a/BTCPayServer/Filters/XFrameOptionsAttribute.cs
+++ b/BTCPayServer/Filters/XFrameOptionsAttribute.cs
@ -23,11 +23,11 @@ namespace BTCPayServer.Filters

        public void OnActionExecuting(ActionExecutingContext context)
        {
-            var existing = context.HttpContext.Response.Headers["x-frame-options"].FirstOrDefault();
+            var existing = context.HttpContext.Response.Headers["X-Frame-Options"].FirstOrDefault();
            if (existing != null && Value == null)
-                context.HttpContext.Response.Headers.Remove("x-frame-options");
+                context.HttpContext.Response.Headers.Remove("X-Frame-Options");
            else
-                context.HttpContext.Response.Headers["x-frame-options"] = Value;
+                context.HttpContext.Response.Headers["X-Frame-Options"] = Value;
        }
    }
 }
--- a/BTCPayServer/Filters/XXSSProtectionAttribute.cs
+++ b/BTCPayServer/Filters/XXSSProtectionAttribute.cs
@ -0,0 +1,27 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;
+using Microsoft.AspNetCore.Mvc.ViewFeatures.Internal;
+
+namespace BTCPayServer.Filters
+{
+    public class XXSSProtectionAttribute : Attribute, IActionFilter
+    {
+        public void OnActionExecuted(ActionExecutedContext context)
+        {
+        }
+
+        public void OnActionExecuting(ActionExecutingContext context)
+        {
+            var existing = context.HttpContext.Response.Headers["X-XSS-Protection"].FirstOrDefault();
+            if (existing != null)
+                context.HttpContext.Response.Headers.Remove("X-XSS-Protection");
+            else
+                context.HttpContext.Response.Headers["X-XSS-Protection"] = "1; mode=block";
+        }
+        
+    }
+}
--- a/BTCPayServer/Hosting/Startup.cs
+++ b/BTCPayServer/Hosting/Startup.cs
@ -80,6 +80,7 @@ namespace BTCPayServer.Hosting
            {
                o.Filters.Add(new XFrameOptionsAttribute("DENY"));
                o.Filters.Add(new XContentTypeOptionsAttribute("nosniff"));
+                o.Filters.Add(new XXSSProtectionAttribute());
            });

            services.Configure<IdentityOptions>(options =>