diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-08-11 21:30:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-11 21:30:51 +0200 |
| commit | 9d6eb2daf7c0f9d50aca78db02dbe8418a642768 (patch) | |
| tree | 470f1ed3fe6520b90f4b084ec943cbb802be2499 | |
| parent | dc80aede757f91e565b83a9d823ffa0ca580f9f6 (diff) | |
| parent | 1b074f48d824107de651a34a3948692cb5ca448f (diff) | |
| download | nextcloud-server-9d6eb2daf7c0f9d50aca78db02dbe8418a642768.tar.gz nextcloud-server-9d6eb2daf7c0f9d50aca78db02dbe8418a642768.zip | |
Merge pull request #16179 from J0WI/mv-frameoptions
Add X-Frame-Options header to .htaccess
| -rw-r--r-- | .htaccess | 17 | ||||
| -rw-r--r-- | lib/private/legacy/response.php | 10 |
2 files changed, 14 insertions, 13 deletions
diff --git a/.htaccess b/.htaccess index cc2e0c95eb1..2a4c8dfe5b6 100644 --- a/.htaccess +++ b/.htaccess @@ -11,12 +11,13 @@ <IfModule mod_env.c> # Add security and privacy related headers - Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" - Header set X-Robots-Tag "none" - Header set X-Download-Options "noopen" - Header set X-Permitted-Cross-Domain-Policies "none" - Header set Referrer-Policy "no-referrer" + Header always set Referrer-Policy "no-referrer" + Header always set X-Content-Type-Options "nosniff" + Header always set X-Download-Options "noopen" + Header always set X-Frame-Options "SAMEORIGIN" + Header always set X-Permitted-Cross-Domain-Policies "none" + Header always set X-Robots-Tag "none" + Header always set X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true </IfModule> @@ -40,8 +41,8 @@ </IfModule> <IfModule mod_rewrite.c> RewriteEngine on - RewriteCond %{HTTP_USER_AGENT} DavClnt - RewriteRule ^$ /remote.php/webdav/ [L,R=302] + RewriteCond %{HTTP_USER_AGENT} DavClnt + RewriteRule ^$ /remote.php/webdav/ [L,R=302] RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L] RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L] diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php index 361a085c0c0..46d90816dbb 100644 --- a/lib/private/legacy/response.php +++ b/lib/private/legacy/response.php @@ -89,22 +89,22 @@ class OC_Response { . 'frame-src *; ' . 'img-src * data: blob:; ' . 'font-src \'self\' data:; ' - . 'media-src *; ' + . 'media-src *; ' . 'connect-src *; ' . 'object-src \'none\'; ' . 'base-uri \'self\'; '; header('Content-Security-Policy:' . $policy); - header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains // Send fallback headers for installations that don't have the possibility to send // custom headers on the webserver side if(getenv('modHeadersAvailable') !== 'true') { - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx + header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/ + header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters } } |