(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin' &&
- xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin')) {
+ xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin' &&
+ xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'same-origin')) {
messages.push({
- msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}"
or "{val4}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
+ msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}"
, "{val4}" or "{val5}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
{
header: 'Referrer-Policy',
val1: 'no-referrer',
val2: 'no-referrer-when-downgrade',
val3: 'strict-origin',
val4: 'strict-origin-when-cross-origin',
+ val5: 'same-origin',
link: 'https://www.w3.org/TR/referrer-policy/'
}),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
- msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
+ msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
, "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
});
});
- it('should return a message if Referrer-Policy is set to same-origin', function(done) {
+ it('should return no message if Referrer-Policy is set to same-origin', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
});
result.done(function( data, s, x ){
- expect(data).toEqual([
- {
- msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
- type: OC.SetupChecks.MESSAGE_TYPE_INFO
- }
- ]);
+ expect(data).toEqual([]);
done();
});
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
- msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
+ msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
, "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
result.done(function( data, s, x ){
expect(data).toEqual([
{
- msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
+ msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
, "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
result.done(function( data, s, x ){
expect(data).toEqual([
{
- msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
+ msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin"
, "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
projects / nextcloud-server.git / commitdiff