136 lines
3.1 KiB
Plaintext
136 lines
3.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
=== ASP.NET Core MVC
|
|
|
|
----
|
|
[HttpGet]
|
|
public string Get()
|
|
{
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
}
|
|
----
|
|
|
|
----
|
|
public void ConfigureServices(IServiceCollection services)
|
|
{
|
|
services.AddCors(options =>
|
|
{
|
|
options.AddDefaultPolicy(builder =>
|
|
{
|
|
builder.WithOrigins("*"); // Sensitive
|
|
});
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
{
|
|
builder.WithOrigins("*"); // Sensitive
|
|
});
|
|
|
|
options.AddPolicy(name: "OtherPolicy", builder =>
|
|
{
|
|
builder.AllowAnyOrigin(); // Sensitive
|
|
});
|
|
});
|
|
|
|
services.AddControllers();
|
|
}
|
|
----
|
|
|
|
=== ASP.NET MVC
|
|
|
|
----
|
|
public class HomeController : ApiController
|
|
{
|
|
public HttpResponseMessage Get()
|
|
{
|
|
var response = HttpContext.Current.Response;
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
[EnableCors(origins: "*", headers: "*", methods: "GET")] // Sensitive
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
{
|
|
Content = new StringContent("content")
|
|
};
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
=== ASP.NET Core MVC
|
|
|
|
----
|
|
[HttpGet]
|
|
public string Get()
|
|
{
|
|
Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe
|
|
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe
|
|
}
|
|
----
|
|
|
|
----
|
|
public void ConfigureServices(IServiceCollection services)
|
|
{
|
|
services.AddCors(options =>
|
|
{
|
|
options.AddDefaultPolicy(builder =>
|
|
{
|
|
builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe
|
|
});
|
|
|
|
options.AddPolicy(name: "EnableAllPolicy", builder =>
|
|
{
|
|
builder.WithOrigins("https://trustedwebsite.com"); // Safe
|
|
});
|
|
});
|
|
|
|
services.AddControllers();
|
|
}
|
|
----
|
|
|
|
=== ASP.Net MVC
|
|
|
|
|
|
----
|
|
public class HomeController : ApiController
|
|
{
|
|
public HttpResponseMessage Get()
|
|
{
|
|
var response = HttpContext.Current.Response;
|
|
|
|
response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
|
|
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]
|
|
public HttpResponseMessage Get() => new HttpResponseMessage()
|
|
{
|
|
Content = new StringContent("content")
|
|
};
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|