Skip to content

Fix StyleSourceDirectiveBuilder.WithHashTagHelper #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewlock merged 4 commits into from
Dec 20, 2025
Merged

Fix StyleSourceDirectiveBuilder.WithHashTagHelper #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
865aeb5
Tweak global.json to be more lenient
andrewlock Dec 19, 2025
a3999f4
Update generated code
andrewlock Dec 19, 2025
c8ee9eb
Update public API
andrewlock Dec 19, 2025
0589706
Fix runner
andrewlock Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/BuildAndPack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
- os: linux
vm: ubuntu-latest
- os: macos
vm: macos-13 # latest is arm64, and it breaks a bunch of stuff
vm: macos-14 # latest is arm64, and it breaks a bunch of stuff
env:
MSBuildEnableWorkloadResolver: false
name: ${{ matrix.os}}
Expand Down
5 changes: 2 additions & 3 deletions global.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
{
"sdk": {
"version": "10.0.100",
"rollForward": "disable",
"allowPrerelease": true
"version": "10.0.101",
"allowPrerelease": false
}
}
12 changes: 0 additions & 12 deletions ...ades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder.g.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,18 +178,6 @@ public CustomDirectiveBuilder WithHashSha512(string hash)
return WithHash("sha512", hash);
}

/// <summary>
/// Allow sources for content generated using the HashTagHelper.
/// </summary>
/// <returns>The CSP builder for method chaining</returns>
public CustomDirectiveBuilder WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetScriptCSPHashes()),
$"NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder.{nameof(WithHashTagHelper)}");
return this;
}

/// <summary>
/// Allows the use of inline resources, such as inline &lt;scripT&gt; elements, javascript : URLs,
/// inline event handlers, and inline &lt;style&gt; elements
Expand Down
12 changes: 0 additions & 12 deletions ...pNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder.g.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,18 +178,6 @@ public DefaultSourceDirectiveBuilder WithHashSha512(string hash)
return WithHash("sha512", hash);
}

/// <summary>
/// Allow sources for content generated using the HashTagHelper.
/// </summary>
/// <returns>The CSP builder for method chaining</returns>
public DefaultSourceDirectiveBuilder WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetScriptCSPHashes()),
$"NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder.{nameof(WithHashTagHelper)}");
return this;
}

/// <summary>
/// Allows the use of inline resources, such as inline &lt;scripT&gt; elements, javascript : URLs,
/// inline event handlers, and inline &lt;style&gt; elements
Expand Down
2 changes: 1 addition & 1 deletion ...etCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceAttrDirectiveBuilder.g.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ public StyleSourceAttrDirectiveBuilder WithHashSha512(string hash)
public StyleSourceAttrDirectiveBuilder WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetScriptCSPHashes()),
ctx => string.Join(" ", ctx.GetStyleCSPHashes()),
$"NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceAttrDirectiveBuilder.{nameof(WithHashTagHelper)}");
return this;
}
Expand Down
2 changes: 1 addition & 1 deletion ...AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceDirectiveBuilder.g.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ public StyleSourceDirectiveBuilder WithHashSha512(string hash)
public StyleSourceDirectiveBuilder WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetScriptCSPHashes()),
ctx => string.Join(" ", ctx.GetStyleCSPHashes()),
$"NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceDirectiveBuilder.{nameof(WithHashTagHelper)}");
return this;
}
Expand Down
2 changes: 1 addition & 1 deletion ...etCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceElemDirectiveBuilder.g.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ public StyleSourceElemDirectiveBuilder WithHashSha512(string hash)
public StyleSourceElemDirectiveBuilder WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetScriptCSPHashes()),
ctx => string.Join(" ", ctx.GetStyleCSPHashes()),
$"NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.StyleSourceElemDirectiveBuilder.{nameof(WithHashTagHelper)}");
return this;
}
Expand Down
12 changes: 11 additions & 1 deletion ...s.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/GeneratorHelpers/MixinTypes.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,17 @@ internal enum MixinTypes
None = 1 << 12,

/// <summary>
/// Convenience combination of all mixin flags.
/// Adds the <c>'WithHashTagHelper'</c> source, by calling <c>GetScriptCSPHashes</c>
/// </summary>
ScriptHashTagHelper = 1 << 13,

/// <summary>
/// Adds the <c>'WithHashTagHelper'</c> source, by calling <c>GetStyleCSPHashes</c>
/// </summary>
StyleHashTagHelper = 1 << 14,

/// <summary>
/// Convenience combination of all mixin flags except <see cref="ScriptHashTagHelper"/> and <see cref="StyleHashTagHelper"/>
/// </summary>
All = Self |
HostSource |
Expand Down
2 changes: 1 addition & 1 deletion ...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceAttrDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy;
/// can be specified for all JavaScript script sources using <c>script-src</c>, or just for
/// &lt;script&gt; elements using <c>script-src-elem</c>.)
/// </summary>
[CspMixin(MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.UnsafeInline | MixinTypes.None | MixinTypes.ReportSample)]
[CspMixin(MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.UnsafeInline | MixinTypes.None | MixinTypes.ReportSample | MixinTypes.ScriptHashTagHelper)]
public partial class ScriptSourceAttrDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion ....AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
/// This includes not only URLs loaded directly into &lt;script&gt; elements, but also things
/// like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
/// </summary>
[CspMixin(MixinTypes.All)]
[CspMixin(MixinTypes.All | MixinTypes.ScriptHashTagHelper)]
public partial class ScriptSourceDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion ...NetCore.SecurityHeaders/Headers/ContentSecurityPolicy/ScriptSourceElemDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy;
/// "unsafe-eval" check, and XSLT stylesheets. (Valid sources can be specified for all
/// JavaScript script sources using <c>script-src</c>, or just for inline script handlers using <c>script-src-attr</c>.)
/// </summary>
[CspMixin(MixinTypes.All & ~MixinTypes.UnsafeHashes)] // Everything except unsafe hashes
[CspMixin((MixinTypes.All & ~MixinTypes.UnsafeHashes) | MixinTypes.ScriptHashTagHelper)] // Everything except unsafe hashes
public partial class ScriptSourceElemDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion ...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceAttrDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy;
/// The directive does not set valid sources for &lt;style&gt; elements and &lt;link&gt; elements with rel="stylesheet".
/// These are set using <c>style-src-elem</c> (and valid sources for all styles may be set with <c>style-src</c>).
/// </summary>
[CspMixin(MixinTypes.UnsafeInline | MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.ReportSample | MixinTypes.None)]
[CspMixin(MixinTypes.UnsafeInline | MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.ReportSample | MixinTypes.None | MixinTypes.StyleHashTagHelper)]
public partial class StyleSourceAttrDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion ...s.AspNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
/// The <c>style-src</c> directive specifies valid sources for sources for stylesheets.
/// </summary>
[CspMixin(MixinTypes.HostSource | MixinTypes.SchemeSource | MixinTypes.Self | MixinTypes.None | MixinTypes.UnsafeEval
| MixinTypes.UnsafeInline | MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.Nonce | MixinTypes.ReportSample)]
| MixinTypes.UnsafeInline | MixinTypes.UnsafeHashes | MixinTypes.Hash | MixinTypes.Nonce | MixinTypes.ReportSample | MixinTypes.StyleHashTagHelper)]
public partial class StyleSourceDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion ...pNetCore.SecurityHeaders/Headers/ContentSecurityPolicy/StyleSourceElemDirectiveBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy;
/// set using <c>style-src-attr</c> (and valid sources for all styles may be set with <c>style-src</c>).
/// </summary>
[CspMixin(MixinTypes.HostSource | MixinTypes.SchemeSource | MixinTypes.Self | MixinTypes.None | MixinTypes.UnsafeEval
| MixinTypes.UnsafeInline | MixinTypes.Hash | MixinTypes.Nonce | MixinTypes.ReportSample)]
| MixinTypes.UnsafeInline | MixinTypes.Hash | MixinTypes.Nonce | MixinTypes.ReportSample | MixinTypes.StyleHashTagHelper)]
public partial class StyleSourceElemDirectiveBuilder : CspDirectiveBuilder
{
/// <summary>
Expand Down
28 changes: 27 additions & 1 deletion src/SourceGenerator/SourceGenerationHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,14 @@ public partial class {{toGenerate.ClassName}}
{
return WithHash("sha512", hash);
}

""");
}

if (Contains(mixins, MixinTypes.ScriptHashTagHelper))
{
sb.AppendLine(
$$"""

/// <summary>
/// Allow sources for content generated using the HashTagHelper.
/// </summary>
Expand All @@ -236,6 +243,25 @@ public partial class {{toGenerate.ClassName}}
""");
}

if (Contains(mixins, MixinTypes.StyleHashTagHelper))
{
sb.AppendLine(
$$"""

/// <summary>
/// Allow sources for content generated using the HashTagHelper.
/// </summary>
/// <returns>The CSP builder for method chaining</returns>
public {{toGenerate.ClassName}} WithHashTagHelper()
{
SourceBuilders.Add(
ctx => string.Join(" ", ctx.GetStyleCSPHashes()),
$"{{toGenerate.NameSpace}}.{{toGenerate.ClassName}}.{nameof(WithHashTagHelper)}");
return this;
}
""");
}

if (Contains(mixins, MixinTypes.UnsafeInline))
{
sb.AppendLine(
Expand Down
2 changes: 0 additions & 2 deletions ...capades.AspNetCore.SecurityHeaders.Test/PublicApiTest.PublicApiHasNotChanged.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,6 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder WithHash256(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder WithHashSha384(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder WithHashSha512(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder WithHashTagHelper() { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CustomDirectiveBuilder WithNonce() { }
}
public class DefaultSourceDirectiveBuilder : NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CspDirectiveBuilder
Expand All @@ -408,7 +407,6 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder WithHash256(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder WithHashSha384(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder WithHashSha512(string hash) { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder WithHashTagHelper() { }
public NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.DefaultSourceDirectiveBuilder WithNonce() { }
}
public class FontSourceDirectiveBuilder : NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy.CspDirectiveBuilder
Expand Down
2 changes: 1 addition & 1 deletion test/SourceGenerator.Test/ContentSecurityPolicyGeneratorTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ public Task CanGenerateCspMixinsInGlobalNamespace()

namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.ContentSecurityPolicy
{
[CspMixin(MixinTypes.All)]
[CspMixin(MixinTypes.All | MixinTypes.ScriptHashTagHelper)]
public partial class TestBuilder : CspDirectiveBuilder
{
}
Expand Down
Loading