Merge branch 'master' of https://github.com/nextcloud/server into gridview-table

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
author: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-10-23 16:44:09 +0200
committer: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-10-23 16:44:20 +0200
commit: b6981dcecb0fb80b3b519af70f2c29329fe2c2b0 (patch)
tree: a0042912470bd4be6e84ccf0e176fa1afb9b1781 /core/js/setupchecks.js
parent: 26ca7a0e2f86cb76726073f2d73fd5cb8a1e09d9 (diff)
parent: 39338aaa676168b0a53c3a1f6d5363569f303361 (diff)
download: nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.tar.gz
nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index de329a8ca5c..aa59cc8181b 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -422,7 +422,6 @@
 
 			if (xhr.status === 200) {
 				var securityHeaders = {
-					'X-XSS-Protection': ['1; mode=block'],
 					'X-Content-Type-Options': ['nosniff'],
 					'X-Robots-Tag': ['none'],
 					'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
@@ -443,6 +442,18 @@
 					}
 				}
 
+				var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
+				if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
+					messages.push({
+						msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+							{
+								header: 'X-XSS-Protection',
+								expected: '1; mode=block'
+							}),
+						type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+					});
+				}
+
 				if (!xhr.getResponseHeader('Referrer-Policy') ||
 					(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
 					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
author	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-10-23 16:44:09 +0200
committer	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-10-23 16:44:20 +0200
commit	b6981dcecb0fb80b3b519af70f2c29329fe2c2b0 (patch)
tree	a0042912470bd4be6e84ccf0e176fa1afb9b1781 /core/js/setupchecks.js
parent	26ca7a0e2f86cb76726073f2d73fd5cb8a1e09d9 (diff)
parent	39338aaa676168b0a53c3a1f6d5363569f303361 (diff)
download	nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.tar.gz nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.zip