diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-20 11:05:08 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2012-02-20 11:05:08 -0800 |
| commit | 234cf20e86b0ed1d65bca4a61eabb3277e8562c5 (patch) | |
| tree | c13f949c18e08e5ab1889b6d7b98968463f3aea6 /samples/OAuthAuthorizationServer | |
| parent | 6bec41a02764e66581a5eaaaa6980b9124f7ca7b (diff) | |
| download | DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.zip DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.gz DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.bz2 | |
Added another frame busting technique to make the authorization server more secure.
Diffstat (limited to 'samples/OAuthAuthorizationServer')
3 files changed, 41 insertions, 0 deletions
diff --git a/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs b/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs new file mode 100644 index 0000000..49649eb --- /dev/null +++ b/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs @@ -0,0 +1,39 @@ +namespace OAuthAuthorizationServer.Code { + using System; + using System.Collections.Generic; + using System.Linq; + using System.Web; + using System.Web.Mvc; + + /// <summary> + /// Represents an attribute that is used to add HTTP Headers to a Controller Action response. + /// </summary> + public class HttpHeaderAttribute : ActionFilterAttribute { + /// <summary> + /// Gets or sets the name of the HTTP Header. + /// </summary> + public string Name { get; set; } + + /// <summary> + /// Gets or sets the value of the HTTP Header. + /// </summary> + public string Value { get; set; } + + /// <summary> + /// Initializes a new instance of the <see cref="HttpHeaderAttribute"/> class. + /// </summary> + public HttpHeaderAttribute(string name, string value) { + Name = name; + Value = value; + } + + /// <summary> + /// Called by the MVC framework after the action result executes. + /// </summary> + /// <param name="filterContext">The filter context.</param> + public override void OnResultExecuted(ResultExecutedContext filterContext) { + filterContext.HttpContext.Response.AppendHeader(Name, Value); + base.OnResultExecuted(filterContext); + } + } +}
\ No newline at end of file diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs index a67c57b..9d2f6e9 100644 --- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs +++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs @@ -36,6 +36,7 @@ /// </summary>
/// <returns>The browser HTML response that prompts the user to authorize the client.</returns>
[Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
+ [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public ActionResult Authorize() {
var pendingRequest = this.authorizationServer.ReadAuthorizationRequest();
if (pendingRequest == null) {
diff --git a/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj b/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj index 8dff7d5..ffb0828 100644 --- a/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj +++ b/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj @@ -78,6 +78,7 @@ <DesignTime>True</DesignTime> <AutoGen>True</AutoGen> </Compile> + <Compile Include="Code\HttpHeaderAttribute.cs" /> <Compile Include="Code\OAuth2AuthorizationServer.cs" /> <Compile Include="Code\Utilities.cs" /> <Compile Include="Controllers\AccountController.cs" /> |