Merge pull request #1995 from vidarkongsli/dev

Add ImgSrc property to CspOptions
IdentityServer · Oct 6, 2015 · acc6cb9 · acc6cb9
2 parents 284b1a5 + df8f898
commit acc6cb9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/source/Core/Configuration/CspOptions.cs b/source/Core/Configuration/CspOptions.cs
@@ -36,15 +36,15 @@ public CspOptions()
         ///   <c>true</c> if enabled; otherwise, <c>false</c>.
         /// </value>
         public bool Enabled { get; set; }
-        
+
         /// <summary>
         /// Allows additional script sources to be indicated.
         /// </summary>
         /// <value>
         /// The script source.
         /// </value>
         public string ScriptSrc { get; set; }
- 
+
         /// <summary>
         /// Allows additional style sources to be indicated.
         /// </summary>
@@ -60,13 +60,21 @@ public CspOptions()
         /// The font source.
         /// </value>
         public string FontSrc { get; set; }
-        
+
         /// <summary>
         /// Allows additional connect sources to be indicated.
         /// </summary>
         /// <value>
         /// The connect source.
         /// </value>
         public string ConnectSrc { get; set; }
+
+        /// <summary>
+        /// Allows additional image sources to be indicated.
+        /// </summary>
+        /// <value>
+        /// The connect source.
+        /// </value>
+        public string ImgSrc { get; set; }
     }
 }
diff --git a/source/Core/Configuration/Hosting/SecurityHeadersAttribute.cs b/source/Core/Configuration/Hosting/SecurityHeadersAttribute.cs
@@ -63,7 +63,7 @@ public override void OnActionExecuted(HttpActionExecutedContext actionExecutedCo
                     if (options.CspOptions.Enabled)
                     {
                         // img-src as * due to client logos
-                        var value = "default-src 'self'; script-src 'self' {0}; style-src 'self' 'unsafe-inline' {1}; img-src *;";
+                        var value = "default-src 'self'; script-src 'self' {0}; style-src 'self' 'unsafe-inline' {1}; img-src {2};";
 
                         if (!String.IsNullOrWhiteSpace(options.CspOptions.FontSrc))
                         {
@@ -74,7 +74,7 @@ public override void OnActionExecuted(HttpActionExecutedContext actionExecutedCo
                             value += String.Format("connect-src {0};", options.CspOptions.ConnectSrc);
                         }
 
-                        value = String.Format(value, options.CspOptions.ScriptSrc, options.CspOptions.StyleSrc);
+                        value = String.Format(value, options.CspOptions.ScriptSrc, options.CspOptions.StyleSrc, options.CspOptions.ImgSrc ?? "*");
                         if (options.Endpoints.EnableCspReportEndpoint)
                         {
                             value += " report-uri " + ctx.GetCspReportUrl();