Bugfix/coep default header value (#167)

* Fixed the default header value for COEP * Uppped minor version * Simplified and fixed test for COEP header value validity * Ran dotnet-format on code base --------- Co-authored-by: Jamie Taylor <[email protected]>
GaProgMan · Dec 31, 2024 · b5eca30 · b5eca30
1 parent ae262e4
commit b5eca30
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 5 deletions.
diff --git a/README-NuGet.md b/README-NuGet.md
@@ -40,7 +40,7 @@ referrer-policy: no-referrer
 cross-origin-resource-policy: same-origin
 cache-control: max-age=0,no-store
 cross-origin-opener-policy: same-origin
-cross-origin-embedder-policy: same-require-corp
+cross-origin-embedder-policy: require-corp
 x-xss-protection: 0
 ```
 

diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ referrer-policy: no-referrer
 cross-origin-resource-policy: same-origin
 cache-control: max-age=0,no-store
 cross-origin-opener-policy: same-origin
-cross-origin-embedder-policy: same-require-corp
+cross-origin-embedder-policy: require-corp
 x-xss-protection: 0
 ```
 

diff --git a/src/Models/CrossOriginEmbedderPolicy.cs b/src/Models/CrossOriginEmbedderPolicy.cs
@@ -38,7 +38,7 @@ public CrossOriginEmbedderPolicy(CrossOriginEmbedderOptions value =
     /// A document can only load resources from the same origin, or resources explicitly
     /// marked as loadable from another origin.
     /// </summary>
-    public const string RequireCorp = "same-require-corp";
+    public const string RequireCorp = "require-corp";
 
     public enum CrossOriginEmbedderOptions
     {
@@ -70,4 +70,28 @@ public string BuildHeaderValue()
                 return RequireCorp;
         }
     }
+
+    /// <summary>
+    /// Used to calculate whether the current header value is valid
+    /// </summary>
+    /// <param name="useCrossOriginResourcePolicy">
+    /// Whether the CORP header is included in the outer setup
+    /// </param>
+    /// <remarks>
+    /// The value for this header is only invalid if the CORP (Cross-Origin-Resource-Policy) header
+    /// is enabled and the current value for the COEP (Cross-Origin-Embedder-Policy) hedaer is set to
+    /// <see cref="RequireCorp"/>
+    /// </remarks>
+    public bool HeaderValueIsValid(bool useCrossOriginResourcePolicy)
+    {
+        if (OptionValue == CrossOriginEmbedderOptions.RequireCorp)
+        {
+            if (!useCrossOriginResourcePolicy)
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }
diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.7.1</Version>
+    <Version>9.7.2</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>

diff --git a/src/SecureHeadersMiddleware.cs b/src/SecureHeadersMiddleware.cs
@@ -134,7 +134,7 @@ private FrozenDictionary<string, string> GenerateRelevantHeaders()
 
         if (_config.UseCrossOriginEmbedderPolicy)
         {
-            if (!_config.UseCrossOriginResourcePolicy)
+            if (!_config.CrossOriginEmbedderPolicy.HeaderValueIsValid(_config.UseCrossOriginResourcePolicy))
             {
                 BoolValueGuardClauses.MustBeTrue(_config.UseCrossOriginResourcePolicy, nameof(_config.UseCrossOriginResourcePolicy));
             }

diff --git a/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs b/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs
@@ -135,5 +135,36 @@ public async Task When_UseCrossOriginEmbedderPolicyNotCalled_Header_Not_Present(
         Assert.False(headerNotPresentConfig.UseCrossOriginEmbedderPolicy);
         Assert.False(_context.Response.Headers.ContainsKey(Constants.CrossOriginEmbedderPolicyHeaderName));
     }
+
+    [Theory]
+    [InlineData(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.RequireCorp)]
+    [InlineData(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.UnsafeNone)]
+    public void CrossOriginEmbedderPolicy_HeaderValueIsValid_Returns_True_When_HeaderIsValid(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions headerValue)
+    {
+        // Arrange
+        var header = new CrossOriginEmbedderPolicy(headerValue);
+        const bool useCorp = true;
+
+        // Act
+        var valid = header.HeaderValueIsValid(useCorp);
+
+        // Assert
+        Assert.True(valid);
+    }
+
+    [Fact]
+    public void CrossOriginEmbedderPolicy_HeaderValueIsValid_Returns_False_When_HeaderIsInvalid()
+    {
+        // Arrange
+        var header = new CrossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.RequireCorp);
+        var useCorp = false;
+
+        // Act
+        var valid = header.HeaderValueIsValid(useCorp);
+
+        // Assert
+        Assert.False(valid);
+    }
+
 }