From bbaf25152573b2befb8f32a267ea11ff35631b4a Mon Sep 17 00:00:00 2001
From: Uncled1023 <admin@teknik.io>
Date: Sat, 26 Jan 2019 00:12:39 -0800
Subject: [PATCH] Made CSP middleware the same for both web services

---
 IdentityServer/Middleware/CSPMiddleware.cs | 19 ++++++++++++++-----
 IdentityServer/Views/Shared/_Layout.cshtml |  1 -
 Teknik/Middleware/CSPMiddleware.cs         | 15 ++++++++++++++-
 Teknik/Startup.cs                          |  1 -
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/IdentityServer/Middleware/CSPMiddleware.cs b/IdentityServer/Middleware/CSPMiddleware.cs
index e3f424e..fb22ebd 100644
--- a/IdentityServer/Middleware/CSPMiddleware.cs
+++ b/IdentityServer/Middleware/CSPMiddleware.cs
@@ -34,11 +34,20 @@ namespace Teknik.IdentityServer.Middleware
                     allowedDomain = host;
                 }
 
-                var csp = "default-src 'self';" +
-                         "img-src * 'self' data: https:;" +
-                         $"style-src 'self' {allowedDomain};" +
-                         $"font-src 'self' {allowedDomain};" +
-                         $"script-src 'self' 'unsafe-inline' {allowedDomain};";
+                var csp = string.Format(
+                    "default-src 'none'; " +
+                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
+                    "style-src 'unsafe-inline' {0}; " +
+                    "img-src data: *; " +
+                    "font-src data: {0}; " +
+                    "connect-src wss: blob: data: {0}; " +
+                    "media-src *; " +
+                    "worker-src blob: mediastream: {0}; " +
+                    "form-action {0}; " +
+                    "base-uri {0}; " +
+                    "frame-ancestors {0};",
+                    allowedDomain,
+                    httpContext.Items[Constants.NONCE_KEY]);
 
                 if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
                 {
diff --git a/IdentityServer/Views/Shared/_Layout.cshtml b/IdentityServer/Views/Shared/_Layout.cshtml
index 511305b..d399b87 100644
--- a/IdentityServer/Views/Shared/_Layout.cshtml
+++ b/IdentityServer/Views/Shared/_Layout.cshtml
@@ -45,7 +45,6 @@
         <link href="~/images/favicon.ico" rel="apple-touch-icon-precomposed" />
         
         <bundle src="css/common.min.css" append-version="true"></bundle>
-        <bundle src="js/common.min.js" append-version="true"></bundle>
 </head>
 <body data-twttr-rendered="true">
     <div id="wrap">
diff --git a/Teknik/Middleware/CSPMiddleware.cs b/Teknik/Middleware/CSPMiddleware.cs
index 21762d2..cf0bb02 100644
--- a/Teknik/Middleware/CSPMiddleware.cs
+++ b/Teknik/Middleware/CSPMiddleware.cs
@@ -42,7 +42,20 @@ namespace Teknik.Middleware
                     allowedDomain += " " + config.CdnHost;
                 }                
 
-                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, httpContext.Items[Constants.NONCE_KEY]));
+                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format(
+                    "default-src 'none'; " +
+                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
+                    "style-src 'unsafe-inline' {0}; " +
+                    "img-src data: *; " +
+                    "font-src data: {0}; " +
+                    "connect-src wss: blob: data: {0}; " +
+                    "media-src *; " +
+                    "worker-src blob: mediastream: {0}; " +
+                    "form-action {0}; " +
+                    "base-uri {0}; " +
+                    "frame-ancestors {0};", 
+                    allowedDomain, 
+                    httpContext.Items[Constants.NONCE_KEY]));
             }
 
             return _next(httpContext);
diff --git a/Teknik/Startup.cs b/Teknik/Startup.cs
index d0f5ccc..b917eaf 100644
--- a/Teknik/Startup.cs
+++ b/Teknik/Startup.cs
@@ -314,6 +314,5 @@ namespace Teknik
                 context.Response.StatusCode = 403;
             context.HandleResponse();
         }
-
     }
 }