Lombiq · Piedone · Jan 15, 2024 · Dec 22, 2023 · Dec 22, 2023 · Dec 22, 2023
diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md b/Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md
@@ -9,3 +9,5 @@
 - `ServiceCollectionExtensions`: Extensions methods for `IServiceCollection`, e.g. `AddContentSecurityPolicyProvider()` is a shortcut to register `IContentSecurityPolicyProvider` in dependency injection.
 
 There is a similar section for security extensions related to Orchard Core [here](../../Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md).
+
+These extensions provide additional security and can resolve issues reported by the [ZAP security scanner](https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md).
diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs
@@ -65,9 +65,10 @@ public static IApplicationBuilder UseContentSecurityPolicyHeader(
                 // No need to do content security policy on non-HTML responses.
                 if (context.Response.ContentType?.ContainsOrdinalIgnoreCase(MediaTypeNames.Text.Html) != true) return;
 
-                // The thought behind this provider model is that if you need something else than the default, you should
-                // add a provider that only applies the additional directive on screens where it's actually needed. This way
-                // we  maintain minimal permissions. If you need additional
+                // The thought behind this provider model is that if you need something else than the default, you
+                // should add a provider that only applies the additional directive on screens where it's actually
+                // needed. This way we maintain minimal permissions. Also if you need additional permissions for a
+                // specific action you can use the [ContentSecurityPolicyAttribute(value, name, parentName)] attribute.
                 foreach (var provider in context.RequestServices.GetServices<IContentSecurityPolicyProvider>())
                 {
                     await provider.UpdateAsync(securityPolicies, context);
@@ -88,7 +89,7 @@ public static IApplicationBuilder UseContentSecurityPolicyHeader(
     /// Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response
     /// body to be interpreted  and displayed as a content type other than the declared content type. Current (early
     /// 2014) and legacy versions  of Firefox will use the declared content type (if one is set), rather than performing
-    /// MIME-sniffing." As written in <a href="https://www.zaproxy.org/docs/alerts/10021/">the documentation</a>.
+    /// MIME-sniffing." As written in <see href="https://www.zaproxy.org/docs/alerts/10021/">the documentation</see>.
     /// </para></remarks>
     public static IApplicationBuilder UseNosniffContentTypeOptionsHeader(this IApplicationBuilder app) =>
         app.Use(async (context, next) =>

diff --git a/Lombiq.HelpfulLibraries.Common/Extensions/StringExtensions.cs b/Lombiq.HelpfulLibraries.Common/Extensions/StringExtensions.cs
@@ -398,6 +398,15 @@ private static (string? Left, string? Separator, string? Right) Partition(
         return (text![..index], text[index..end], text[end..]);
     }
 
+    /// <summary>
+    /// Combines all provided parameters into a single string and eliminates duplicates. This can be used to get the
+    /// union of space separated word lists. For example it's used to build the values of individual directives in the
+    /// <c>Content-Security-Policy</c> HTTP header.
+    /// </summary>
+    /// <example>
+    /// Given the words "script-src 'self'" and otherWords containing "script-src example.com", the result would be
+    /// "script-src 'self' example.com".
+    /// </example>
     public static string MergeWordSets(this string words, params string[] otherWords) =>
         string.Join(
             separator: ' ',

diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md b/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md
@@ -5,3 +5,5 @@
 - `SecurityOrchardCoreBuilderExtensions`: Adds `BuilderExtensions` extensions. For example, the `ConfigureSecurityDefaults()` that provides some default security configuration for Orchard Core.
 
 There is a similar section for security extensions related to ASP.NET Core [here](../../Lombiq.HelpfulLibraries.AspNetCore/Docs/Security.md).
+
+These extensions provide additional security and can resolve issues reported by the [ZAP security scanner](https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/Docs/SecurityScanning.md).
diff --git a/Lombiq.HelpfulLibraries.OrchardCore/Security/OrchardCoreBuilderExtensions.cs b/Lombiq.HelpfulLibraries.OrchardCore/Security/OrchardCoreBuilderExtensions.cs
@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.StaticFiles;
 using OrchardCore.Environment.Shell;
 using OrchardCore.Environment.Shell.Models;
 using System.Linq;
@@ -61,7 +62,26 @@ public static OrchardCoreBuilder ConfigureAntiForgeryAlwaysSecure(this OrchardCo
     public static OrchardCoreBuilder ConfigureSecurityDefaults(
         this OrchardCoreBuilder builder,
         bool allowInlineScript = true,
-        bool allowInlineStyle = false)
+        bool allowInlineStyle = false) =>
+        builder.ConfigureSecurityDefaultsInner(allowInlineScript, allowInlineStyle, useStaticFiles: false);
+
+    /// <summary>
+    /// The same as <see cref="ConfigureSecurityDefaults"/>, but also registers the <see cref="StaticFileMiddleware"/>
+    /// at the end of the chain. It's important to not do this earlier (e.g. with <c>app.UseStaticFiles()</c> because
+    /// it short-circuits the call chain when delivering static files so later middlewares are not executed and so the
+    /// <c>X-Content-Type-Options: nosniff</c> header doesn't get applied to those files.
+    /// </summary>
+    public static OrchardCoreBuilder ConfigureSecurityDefaultsWithStaticFiles(
+        this OrchardCoreBuilder builder,
+        bool allowInlineScript = true,
+        bool allowInlineStyle = false) =>
+        builder.ConfigureSecurityDefaultsInner(allowInlineScript, allowInlineStyle, useStaticFiles: true);
+
+    private static OrchardCoreBuilder ConfigureSecurityDefaultsInner(
+        this OrchardCoreBuilder builder,
+        bool allowInlineScript,
+        bool allowInlineStyle,
+        bool useStaticFiles)
     {
         builder.ApplicationServices.AddInlineStartup(
             services => services
@@ -82,8 +102,11 @@ public static OrchardCoreBuilder ConfigureSecurityDefaults(
                     .UseContentSecurityPolicyHeader(allowInlineScript, allowInlineStyle)
                     .UseNosniffContentTypeOptionsHeader()
                     .UseStrictAndSecureCookies();
+
+                if (useStaticFiles) app.UseStaticFiles();
             },
             order: 99); // Makes this service load fairly late. This should make the setup detection more accurate.
+
         return builder
             .ConfigureAntiForgeryAlwaysSecure()
             .AddTenantFeatures("OrchardCore.Diagnostics");