SONAR-23029 fix ssf

author lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com>

Thu, 12 Sep 2024 14:10:38 +0000 (16:10 +0200)

committer sonartech <sonartech@sonarsource.com>

Fri, 13 Sep 2024 20:02:35 +0000 (20:02 +0000)
author lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com>
Thu, 12 Sep 2024 14:10:38 +0000 (16:10 +0200)
committer sonartech <sonartech@sonarsource.com>
Fri, 13 Sep 2024 20:02:35 +0000 (20:02 +0000)
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java

index afb7332af2c0db68fa21d51ed9923572f64c5f1b..ce0687a70110bf6e6e8f253a6bec6720f0750f5f 100644 (file)
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -83,11 +83,11 @@ public class SecurityServletFilter implements Filter {
      }
  
      // Cross-site scripting
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+    httpResponse.setHeader("X-XSS-Protection", "0");
  
      // MIME-sniffing
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
      httpResponse.setHeader("X-Content-Type-Options", "nosniff");
    }
  
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java

index 338c346eee1f1c8546060dba3c63d68ab84c95ed..1ab54b7902dc547859c5bb3b09ff1585c3f418e7 100644 (file)
--- a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
@@ -54,7 +54,7 @@ public class SecurityErrorReportValveTest {
      underTest.invoke(request, response);
  
      verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
      verify(response).setHeader("X-Content-Type-Options", "nosniff");
      verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
    }
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java

index 14805dc0ed0183eeef9dade88c4f3ddabd98e25f..500deeb7e5efa3b43d32271ae7eb5694983fe666 100644 (file)
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -99,7 +99,7 @@ public class SecurityServletFilterTest {
      underTest.doFilter(request, response, chain);
  
      verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
      verify(response).setHeader("X-Content-Type-Options", "nosniff");
      assertNull(response.getHeader("Strict-Transport-Security"));
    }
@@ -112,7 +112,7 @@ public class SecurityServletFilterTest {
      underTest.doFilter(request, response, chain);
  
      verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
      verify(response).setHeader("X-Content-Type-Options", "nosniff");
      verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
    }
@@ -124,7 +124,7 @@ public class SecurityServletFilterTest {
      underTest.doFilter(request, response, chain);
  
      verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
      verify(response).setHeader("X-Content-Type-Options", "nosniff");
    }
  
@@ -138,7 +138,7 @@ public class SecurityServletFilterTest {
      underTest.doFilter(request, response, chain);
  
      verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
      verify(response).setHeader("X-Content-Type-Options", "nosniff");
    }
author	lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com>
	Thu, 12 Sep 2024 14:10:38 +0000 (16:10 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Fri, 13 Sep 2024 20:02:35 +0000 (20:02 +0000)
server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java		patch \| blob \| history
server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java		patch \| blob \| history
server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java		patch \| blob \| history