Merge pull request #22592 from owncloud/fix-response-header

Add header for attachment disposition only once

2 files changed, 73 insertions, 4 deletions

diff --git a/build/integration/features/bootstrap/WebDav.php b/build/integration/features/bootstrap/WebDav.php
index 58fdfed1711..be87a09731b 100644
--- a/build/integration/features/bootstrap/WebDav.php
+++ b/build/integration/features/bootstrap/WebDav.php
@@ -12,6 +12,8 @@ require __DIR__ . '/../../vendor/autoload.php';
 trait WebDav {
 	/** @var string*/
 	private $davPath = "remote.php/webdav";
+	/** @var ResponseInterface */
+	private $response;
 
 	/**
 	 * @Given /^using dav path "([^"]*)"$/
@@ -104,6 +106,48 @@ trait WebDav {
 		$this->downloadedContentShouldBe($content);
 	}
 
+	/**
+	 * @When Downloading file :fileName
+	 */
+	public function downloadingFile($fileName) {
+		$this->response = $this->makeDavRequest($this->currentUser, 'GET', $fileName, []);
+	}
+
+	/**
+	 * @Then The following headers should be set
+	 */
+	public function theFollowingHeadersShouldBeSet(\Behat\Gherkin\Node\TableNode $table) {
+		foreach($table->getTable() as $header) {
+			$headerName = $header[0];
+			$expectedHeaderValue = $header[1];
+			$returnedHeader = $this->response->getHeader($headerName);
+			if($returnedHeader !== $expectedHeaderValue) {
+				throw new \Exception(
+					sprintf(
+						"Expected value '%s' for header '%s', got '%s'",
+						$expectedHeaderValue,
+						$headerName,
+						$returnedHeader
+					)
+				);
+			}
+		}
+	}
+
+	/**
+	 * @Then Downloaded content should start with :start
+	 */
+	public function downloadedContentShouldStartWith($start) {
+		if(strpos($this->response->getBody()->getContents(), $start) !== 0) {
+			throw new \Exception(
+				sprintf(
+					"Expected '%s', got '%s'",
+					$start,
+					$this->response->getBody()->getContents()
+				)
+			);
+		}
+	}
 
 	/*Returns the elements of a propfind, $folderDepth requires 1 to see elements without children*/
 	public function listFolder($user, $path, $folderDepth){
diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature
index 8be2c196308..c424f77afd5 100644
--- a/build/integration/features/webdav-related.feature
+++ b/build/integration/features/webdav-related.feature
@@ -15,7 +15,6 @@ Feature: sharing
 		When Downloading file "/welcome.txt" with range "bytes=51-77"
 		Then Downloaded content should be "example file for developers"
 
-
 	Scenario: Upload forbidden if quota is 0
 		Given using dav path "remote.php/webdav"
 		And As an "admin"
@@ -33,9 +32,35 @@ Feature: sharing
 		And Downloading last public shared file with range "bytes=51-77"
 		Then Downloaded content should be "example file for developers"
 
-
-
-
+	Scenario: Downloading a file on the old endpoint should serve security headers
+		Given using dav path "remote.php/webdav"
+		And As an "admin"
+		When Downloading file "/welcome.txt"
+		Then The following headers should be set
+			|Content-Disposition|attachment|
+			|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *|
+			|X-Content-Type-Options |nosniff|
+			|X-Download-Options|noopen|
+			|X-Frame-Options|Sameorigin|
+			|X-Permitted-Cross-Domain-Policies|none|
+			|X-Robots-Tag|none|
+			|X-XSS-Protection|1; mode=block|
+		And Downloaded content should start with "Welcome to your ownCloud account!"
+
+	Scenario: Downloading a file on the new endpoint should serve security headers
+		Given using dav path "remote.php/dav/files/admin/"
+		And As an "admin"
+		When Downloading file "/welcome.txt"
+		Then The following headers should be set
+			|Content-Disposition|attachment|
+			|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *|
+			|X-Content-Type-Options |nosniff|
+			|X-Download-Options|noopen|
+			|X-Frame-Options|Sameorigin|
+			|X-Permitted-Cross-Domain-Policies|none|
+			|X-Robots-Tag|none|
+			|X-XSS-Protection|1; mode=block|
+		And Downloaded content should start with "Welcome to your ownCloud account!"