diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-23 11:54:22 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-23 12:23:41 +0100 |
| commit | fc2c5fe41420c2c43c6718a5a2e287afde5bdf49 (patch) | |
| tree | 6a9a398c3ba30ace50bfe65d9143764bfecb29ce /build/integration/features/webdav-related.feature | |
| parent | 59acc53483bd7c61285fa2495992836c3e00e74b (diff) | |
| download | nextcloud-server-fc2c5fe41420c2c43c6718a5a2e287afde5bdf49.tar.gz nextcloud-server-fc2c5fe41420c2c43c6718a5a2e287afde5bdf49.zip | |
Add header for attachment disposition only once
Recent refactorings have resulted in the header being added twice, this makes browsers ignore the header which removes any security gains.
This changeset adds the header only once and adds integration tests ensuring the correct header in future.
https://github.com/owncloud/core/issues/22577
Diffstat (limited to 'build/integration/features/webdav-related.feature')
| -rw-r--r-- | build/integration/features/webdav-related.feature | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature index 8be2c196308..c424f77afd5 100644 --- a/build/integration/features/webdav-related.feature +++ b/build/integration/features/webdav-related.feature @@ -15,7 +15,6 @@ Feature: sharing When Downloading file "/welcome.txt" with range "bytes=51-77" Then Downloaded content should be "example file for developers" - Scenario: Upload forbidden if quota is 0 Given using dav path "remote.php/webdav" And As an "admin" @@ -33,9 +32,35 @@ Feature: sharing And Downloading last public shared file with range "bytes=51-77" Then Downloaded content should be "example file for developers" - - - + Scenario: Downloading a file on the old endpoint should serve security headers + Given using dav path "remote.php/webdav" + And As an "admin" + When Downloading file "/welcome.txt" + Then The following headers should be set + |Content-Disposition|attachment| + |Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| + |X-Content-Type-Options |nosniff| + |X-Download-Options|noopen| + |X-Frame-Options|Sameorigin| + |X-Permitted-Cross-Domain-Policies|none| + |X-Robots-Tag|none| + |X-XSS-Protection|1; mode=block| + And Downloaded content should start with "Welcome to your ownCloud account!" + + Scenario: Downloading a file on the new endpoint should serve security headers + Given using dav path "remote.php/dav/files/admin/" + And As an "admin" + When Downloading file "/welcome.txt" + Then The following headers should be set + |Content-Disposition|attachment| + |Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| + |X-Content-Type-Options |nosniff| + |X-Download-Options|noopen| + |X-Frame-Options|Sameorigin| + |X-Permitted-Cross-Domain-Policies|none| + |X-Robots-Tag|none| + |X-XSS-Protection|1; mode=block| + And Downloaded content should start with "Welcome to your ownCloud account!" |