Reintroduce NWebsec.Owin in Mvc.Server (aspnet50 only)

samples/Mvc/Mvc.Server/Extensions/AppBuilderExtensions.cs

@@ -0,0 +1,38 @@
+#if ASPNET50
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.AspNet.Builder;
+using Microsoft.AspNet.Hosting;
+using Microsoft.Owin.Builder;
+using Microsoft.Owin.BuilderProperties;
+using Owin;
+
+namespace Mvc.Server.Extensions {
+    using AppFunc = Func<IDictionary<string, object>, Task>;
+    using BuildFunc = Action<Func<Func<IDictionary<string, object>, Task>,
+                                  Func<IDictionary<string, object>, Task>>>;
+
+    public static class AppBuilderExtensions {
+        public static void UseOwinAppBuilder(this IApplicationBuilder app, Action<IAppBuilder> configuration) {
+            BuildFunc buildFunc = app.UseOwin();
+
+            buildFunc(next => {
+                var builder = new AppBuilder();
+                var lifetime = (IApplicationLifetime) app.ApplicationServices.GetService(typeof(IApplicationLifetime));
+
+                var properties = new AppProperties(builder.Properties);
+                properties.AppName = app.Server.Name;
+                properties.OnAppDisposing = lifetime.ApplicationStopping;
+                properties.DefaultApp = next;
+
+                configuration(builder);
+
+                AppFunc appFunc = (AppFunc) builder.Build(typeof(AppFunc));
+
+                return environment => appFunc.Invoke(environment);
+            });
+        }
+    }
+}
+#endif

samples/Mvc/Mvc.Server/Startup.cs

@@ -11,6 +11,11 @@
 using Mvc.Server.Models;
 using Mvc.Server.Providers;
 
+#if ASPNET50
+using Mvc.Server.Extensions;
+using NWebsec.Owin;
+#endif
+
 namespace Mvc.Server {
     public class Startup {
         public void Configure(IApplicationBuilder app) {
@@ -71,6 +76,27 @@ public class Startup {
                 options.ConsumerSecret = "Il2eFzGIrYhz6BWjYhVXBPQSfZuS4xoHpSSyD9PI";
             });
 
+#if ASPNET50
+            app.UseOwinAppBuilder(owin => {
+                // Insert a new middleware responsible of setting the Content-Security-Policy header.
+                // See https://nwebsec.codeplex.com/wikipage?title=Configuring%20Content%20Security%20Policy&referringTitle=NWebsec
+                owin.UseCsp(options => options.DefaultSources(configuration => configuration.Self())
+                                              .ScriptSources(configuration => configuration.UnsafeInline()));
+
+                // Insert a new middleware responsible of setting the X-Content-Type-Options header.
+                // See https://nwebsec.codeplex.com/wikipage?title=Configuring%20security%20headers&referringTitle=NWebsec
+                owin.UseXContentTypeOptions();
+
+                // Insert a new middleware responsible of setting the X-Frame-Options header.
+                // See https://nwebsec.codeplex.com/wikipage?title=Configuring%20security%20headers&referringTitle=NWebsec
+                owin.UseXfo(options => options.Deny());
+
+                // Insert a new middleware responsible of setting the X-Xss-Protection header.
+                // See https://nwebsec.codeplex.com/wikipage?title=Configuring%20security%20headers&referringTitle=NWebsec
+                owin.UseXXssProtection(options => options.EnabledWithBlockMode());
+            });
+#endif
+
             app.UseOpenIdConnectServer(options => {
                 options.AuthenticationType = OpenIdConnectDefaults.AuthenticationType;
 

samples/Mvc/Mvc.Server/project.json

@@ -29,6 +29,12 @@
         "aspnet50": {
             "frameworkAssemblies": {
                 "System.IdentityModel": ""
+            },
+
+            "dependencies": {
+                "Microsoft.AspNet.Owin": "1.0.0-*",
+                "Microsoft.Owin": "3.0.0",
+                "NWebsec.Owin": "1.0.0"
             }
         }
     }