diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-20 11:05:08 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-20 11:05:08 -0800 |
| commit | 234cf20e86b0ed1d65bca4a61eabb3277e8562c5 (patch) | |
| tree | c13f949c18e08e5ab1889b6d7b98968463f3aea6 /projecttemplates | |
| parent | 6bec41a02764e66581a5eaaaa6980b9124f7ca7b (diff) | |
| download | DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.zip DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.gz DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.bz2 | |
Added another frame busting technique to make the authorization server more secure.
Diffstat (limited to 'projecttemplates')
3 files changed, 41 insertions, 0 deletions
diff --git a/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs b/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs new file mode 100644 index 0000000..f5aaef5 --- /dev/null +++ b/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs @@ -0,0 +1,39 @@ +namespace MvcRelyingParty { + using System; + using System.Collections.Generic; + using System.Linq; + using System.Web; + using System.Web.Mvc; + + /// <summary> + /// Represents an attribute that is used to add HTTP Headers to a Controller Action response. + /// </summary> + public class HttpHeaderAttribute : ActionFilterAttribute { + /// <summary> + /// Gets or sets the name of the HTTP Header. + /// </summary> + public string Name { get; set; } + + /// <summary> + /// Gets or sets the value of the HTTP Header. + /// </summary> + public string Value { get; set; } + + /// <summary> + /// Initializes a new instance of the <see cref="HttpHeaderAttribute"/> class. + /// </summary> + public HttpHeaderAttribute(string name, string value) { + Name = name; + Value = value; + } + + /// <summary> + /// Called by the MVC framework after the action result executes. + /// </summary> + /// <param name="filterContext">The filter context.</param> + public override void OnResultExecuted(ResultExecutedContext filterContext) { + filterContext.HttpContext.Response.AppendHeader(Name, Value); + base.OnResultExecuted(filterContext); + } + } +}
\ No newline at end of file diff --git a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs index 0b5e0b6..4ce8592 100644 --- a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs +++ b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs @@ -49,6 +49,7 @@ } [Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)] + [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking public ActionResult Authorize() { var pendingRequest = OAuthServiceProvider.AuthorizationServer.ReadAuthorizationRequest(); if (pendingRequest == null) { diff --git a/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj b/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj index 40e96b8..2b0be9a 100644 --- a/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj +++ b/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj @@ -72,6 +72,7 @@ <ItemGroup> <Compile Include="Code\Extensions.cs" /> <Compile Include="Code\FormsAuthenticationService.cs" /> + <Compile Include="Code\HttpHeaderAttribute.cs" /> <Compile Include="Code\OpenIdRelyingPartyService.cs" /> <Compile Include="Controllers\AccountController.cs" /> <Compile Include="Controllers\AuthController.cs" /> |