From b5eca30176eaa473c60d7d5ce8cfd43d1b9021d7 Mon Sep 17 00:00:00 2001
From: Jamie Taylor <1607732+GaProgMan@users.noreply.github.com>
Date: Tue, 31 Dec 2024 00:42:21 +0000
Subject: [PATCH] Bugfix/coep default header value (#167)

* Fixed the default header value for COEP

* Uppped minor version

* Simplified and fixed test for COEP header value validity

* Ran dotnet-format on code base

---------

Co-authored-by: Jamie Taylor <jamie.taylor@rjj-software.co.uk>
---
 README-NuGet.md                               |  2 +-
 README.md                                     |  2 +-
 src/Models/CrossOriginEmbedderPolicy.cs       | 26 +++++++++++++++-
 src/OwaspHeaders.Core.csproj                  |  2 +-
 src/SecureHeadersMiddleware.cs                |  2 +-
 .../CustomHeaders/CrossOriginOptionsTests.cs  | 31 +++++++++++++++++++
 6 files changed, 60 insertions(+), 5 deletions(-)
diff --git a/README-NuGet.md b/README-NuGet.md
index 7dbd234..15504a1 100644
--- a/README-NuGet.md
+++ b/README-NuGet.md
@@ -40,7 +40,7 @@ referrer-policy: no-referrer
 cross-origin-resource-policy: same-origin
 cache-control: max-age=0,no-store
 cross-origin-opener-policy: same-origin
-cross-origin-embedder-policy: same-require-corp
+cross-origin-embedder-policy: require-corp
 x-xss-protection: 0
 ```
 
diff --git a/README.md b/README.md
index a2750c6..88feddc 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ referrer-policy: no-referrer
 cross-origin-resource-policy: same-origin
 cache-control: max-age=0,no-store
 cross-origin-opener-policy: same-origin
-cross-origin-embedder-policy: same-require-corp
+cross-origin-embedder-policy: require-corp
 x-xss-protection: 0
 ```
 
diff --git a/src/Models/CrossOriginEmbedderPolicy.cs b/src/Models/CrossOriginEmbedderPolicy.cs
index 3ff65ea..9124876 100644
--- a/src/Models/CrossOriginEmbedderPolicy.cs
+++ b/src/Models/CrossOriginEmbedderPolicy.cs
@@ -38,7 +38,7 @@ public CrossOriginEmbedderPolicy(CrossOriginEmbedderOptions value =
     /// A document can only load resources from the same origin, or resources explicitly
     /// marked as loadable from another origin.
     /// </summary>
-    public const string RequireCorp = "same-require-corp";
+    public const string RequireCorp = "require-corp";
 
     public enum CrossOriginEmbedderOptions
     {
@@ -70,4 +70,28 @@ public string BuildHeaderValue()
                 return RequireCorp;
         }
     }
+
+    /// <summary>
+    /// Used to calculate whether the current header value is valid
+    /// </summary>
+    /// <param name="useCrossOriginResourcePolicy">
+    /// Whether the CORP header is included in the outer setup
+    /// </param>
+    /// <remarks>
+    /// The value for this header is only invalid if the CORP (Cross-Origin-Resource-Policy) header
+    /// is enabled and the current value for the COEP (Cross-Origin-Embedder-Policy) hedaer is set to
+    /// <see cref="RequireCorp"/>
+    /// </remarks>
+    public bool HeaderValueIsValid(bool useCrossOriginResourcePolicy)
+    {
+        if (OptionValue == CrossOriginEmbedderOptions.RequireCorp)
+        {
+            if (!useCrossOriginResourcePolicy)
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }
diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
index 6e99b1a..5eebd03 100644
--- a/src/OwaspHeaders.Core.csproj
+++ b/src/OwaspHeaders.Core.csproj
@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.7.1</Version>
+    <Version>9.7.2</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
diff --git a/src/SecureHeadersMiddleware.cs b/src/SecureHeadersMiddleware.cs
index 48641d8..22e9af0 100644
--- a/src/SecureHeadersMiddleware.cs
+++ b/src/SecureHeadersMiddleware.cs
@@ -134,7 +134,7 @@ private FrozenDictionary<string, string> GenerateRelevantHeaders()
 
         if (_config.UseCrossOriginEmbedderPolicy)
         {
-            if (!_config.UseCrossOriginResourcePolicy)
+            if (!_config.CrossOriginEmbedderPolicy.HeaderValueIsValid(_config.UseCrossOriginResourcePolicy))
             {
                 BoolValueGuardClauses.MustBeTrue(_config.UseCrossOriginResourcePolicy, nameof(_config.UseCrossOriginResourcePolicy));
             }
diff --git a/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs b/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs
index 3d6d484..4aca9e4 100644
--- a/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs
+++ b/tests/OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs
@@ -135,5 +135,36 @@ public async Task When_UseCrossOriginEmbedderPolicyNotCalled_Header_Not_Present(
         Assert.False(headerNotPresentConfig.UseCrossOriginEmbedderPolicy);
         Assert.False(_context.Response.Headers.ContainsKey(Constants.CrossOriginEmbedderPolicyHeaderName));
     }
+
+    [Theory]
+    [InlineData(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.RequireCorp)]
+    [InlineData(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.UnsafeNone)]
+    public void CrossOriginEmbedderPolicy_HeaderValueIsValid_Returns_True_When_HeaderIsValid(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions headerValue)
+    {
+        // Arrange
+        var header = new CrossOriginEmbedderPolicy(headerValue);
+        const bool useCorp = true;
+
+        // Act
+        var valid = header.HeaderValueIsValid(useCorp);
+
+        // Assert
+        Assert.True(valid);
+    }
+
+    [Fact]
+    public void CrossOriginEmbedderPolicy_HeaderValueIsValid_Returns_False_When_HeaderIsInvalid()
+    {
+        // Arrange
+        var header = new CrossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.CrossOriginEmbedderOptions.RequireCorp);
+        var useCorp = false;
+
+        // Act
+        var valid = header.HeaderValueIsValid(useCorp);
+
+        // Assert
+        Assert.False(valid);
+    }
+
 }
 
