diff options
author | Daniel Peukert <dan.peukert@gmail.com> | 2018-10-17 18:22:05 +0200 |
---|---|---|
committer | Daniel Peukert <dan.peukert@gmail.com> | 2018-10-17 18:51:01 +0200 |
commit | 7a5d6ac15c5501ba116708b93080c6c6d0b2465f (patch) | |
tree | 532010c7dfaba8511c38fb884e13ef3848e2d646 | |
parent | 2da4f96bd6e6929bf9b8bd3ce6c602fa5b00f570 (diff) | |
download | nextcloud-server-7a5d6ac15c5501ba116708b93080c6c6d0b2465f.tar.gz nextcloud-server-7a5d6ac15c5501ba116708b93080c6c6d0b2465f.zip |
Fix failing tests and add some more
Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
-rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 114 |
1 files changed, 106 insertions, 8 deletions
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index d16032a5cf5..3de1a4463b0 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -811,9 +811,6 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([ { - msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { @@ -830,6 +827,9 @@ describe('OC.SetupChecks tests', function() { msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { + msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', type: OC.SetupChecks.MESSAGE_TYPE_INFO } @@ -855,13 +855,15 @@ describe('OC.SetupChecks tests', function() { ); async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING, - }, { + expect(data).toEqual([ + { msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING, + } + ]); done(); }); }); @@ -890,6 +892,102 @@ describe('OC.SetupChecks tests', function() { }); }); + describe('check X-XSS-Protection header', function() { + it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) { + protocolStub.returns('https'); + var result = OC.SetupChecks.checkGeneric(); + + suite.server.requests[0].respond(200, { + 'Strict-Transport-Security': 'max-age=15768000', + 'X-XSS-Protection': '1; mode=block; report=https://example.com', + 'X-Content-Type-Options': 'nosniff', + 'X-Robots-Tag': 'none', + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', + 'Referrer-Policy': 'no-referrer', + }); + + result.done(function( data, s, x ){ + expect(data).toEqual([]); + done(); + }); + }); + + it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) { + protocolStub.returns('https'); + var result = OC.SetupChecks.checkGeneric(); + + suite.server.requests[0].respond(200, { + 'Strict-Transport-Security': 'max-age=15768000', + 'X-XSS-Protection': '1; mode=block', + 'X-Content-Type-Options': 'nosniff', + 'X-Robots-Tag': 'none', + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', + 'Referrer-Policy': 'no-referrer', + }); + + result.done(function( data, s, x ){ + expect(data).toEqual([]); + done(); + }); + }); + + it('should return a message if X-XSS-Protection is set to 1', function(done) { + protocolStub.returns('https'); + var result = OC.SetupChecks.checkGeneric(); + + suite.server.requests[0].respond(200, { + 'Strict-Transport-Security': 'max-age=15768000', + 'X-XSS-Protection': '1', + 'X-Content-Type-Options': 'nosniff', + 'X-Robots-Tag': 'none', + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', + 'Referrer-Policy': 'no-referrer', + }); + + result.done(function( data, s, x ){ + expect(data).toEqual([ + { + msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + } + ]); + done(); + }); + }); + + it('should return a message if X-XSS-Protection is set to 0', function(done) { + protocolStub.returns('https'); + var result = OC.SetupChecks.checkGeneric(); + + suite.server.requests[0].respond(200, { + 'Strict-Transport-Security': 'max-age=15768000', + 'X-XSS-Protection': '0', + 'X-Content-Type-Options': 'nosniff', + 'X-Robots-Tag': 'none', + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', + 'Referrer-Policy': 'no-referrer', + }); + + result.done(function( data, s, x ){ + expect(data).toEqual([ + { + msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + } + ]); + done(); + }); + }); + }); + describe('check Referrer-Policy header', function() { it('should return no message if Referrer-Policy is set to no-referrer', function(done) { protocolStub.returns('https'); |