From: lukasz-jarocki-sonarsource Date: Thu, 12 Sep 2024 14:10:38 +0000 (+0200) Subject: SONAR-23029 fix ssf X-Git-Tag: 10.7.0.96327~101 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=daf512d755a7c23a426b297ff7a43b57b33048f3;p=sonarqube.git SONAR-23029 fix ssf --- diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java index afb7332af2c..ce0687a7011 100644 --- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java +++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java @@ -83,11 +83,11 @@ public class SecurityServletFilter implements Filter { } // Cross-site scripting - // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers - httpResponse.setHeader("X-XSS-Protection", "1; mode=block"); + // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection + httpResponse.setHeader("X-XSS-Protection", "0"); // MIME-sniffing - // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers + // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options httpResponse.setHeader("X-Content-Type-Options", "nosniff"); } diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java index 338c346eee1..1ab54b7902d 100644 --- a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java +++ b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java @@ -54,7 +54,7 @@ public class SecurityErrorReportValveTest { underTest.invoke(request, response); verify(response).setHeader("X-Frame-Options", "SAMEORIGIN"); - verify(response).setHeader("X-XSS-Protection", "1; mode=block"); + verify(response).setHeader("X-XSS-Protection", "0"); verify(response).setHeader("X-Content-Type-Options", "nosniff"); verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;"); } diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java index 14805dc0ed0..500deeb7e5e 100644 --- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java +++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java @@ -99,7 +99,7 @@ public class SecurityServletFilterTest { underTest.doFilter(request, response, chain); verify(response).setHeader("X-Frame-Options", "SAMEORIGIN"); - verify(response).setHeader("X-XSS-Protection", "1; mode=block"); + verify(response).setHeader("X-XSS-Protection", "0"); verify(response).setHeader("X-Content-Type-Options", "nosniff"); assertNull(response.getHeader("Strict-Transport-Security")); } @@ -112,7 +112,7 @@ public class SecurityServletFilterTest { underTest.doFilter(request, response, chain); verify(response).setHeader("X-Frame-Options", "SAMEORIGIN"); - verify(response).setHeader("X-XSS-Protection", "1; mode=block"); + verify(response).setHeader("X-XSS-Protection", "0"); verify(response).setHeader("X-Content-Type-Options", "nosniff"); verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;"); } @@ -124,7 +124,7 @@ public class SecurityServletFilterTest { underTest.doFilter(request, response, chain); verify(response, never()).setHeader(eq("X-Frame-Options"), anyString()); - verify(response).setHeader("X-XSS-Protection", "1; mode=block"); + verify(response).setHeader("X-XSS-Protection", "0"); verify(response).setHeader("X-Content-Type-Options", "nosniff"); } @@ -138,7 +138,7 @@ public class SecurityServletFilterTest { underTest.doFilter(request, response, chain); verify(response, never()).setHeader(eq("X-Frame-Options"), anyString()); - verify(response).setHeader("X-XSS-Protection", "1; mode=block"); + verify(response).setHeader("X-XSS-Protection", "0"); verify(response).setHeader("X-Content-Type-Options", "nosniff"); }