diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2017-11-14 14:30:14 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-11-14 14:30:14 +0100 |
| commit | 6d1d2dde0b56b8cc16855599628493bd5cfc9c4d (patch) | |
| tree | a8e32c11731e48ac3abd4c227ea99aae53c862bc /core/js/setupchecks.js | |
| parent | a6d894893770e9ce5b89dcb3d9d30f346be06bfe (diff) | |
| parent | b44c3dd198317c4685f43a957907b5894269f396 (diff) | |
| download | nextcloud-server-6d1d2dde0b56b8cc16855599628493bd5cfc9c4d.tar.gz nextcloud-server-6d1d2dde0b56b8cc16855599628493bd5cfc9c4d.zip | |
Merge pull request #4856 from coderkun/issue-3808-xframe-deny
Improve warning for X-Frame-Options header DENY (#3808)
Diffstat (limited to 'core/js/setupchecks.js')
| -rw-r--r-- | core/js/setupchecks.js | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 99e3c72d2d4..88e44a547e4 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -248,18 +248,22 @@ if (xhr.status === 200) { var securityHeaders = { - 'X-XSS-Protection': '1; mode=block', - 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN', - 'X-Download-Options': 'noopen', - 'X-Permitted-Cross-Domain-Policies': 'none', + 'X-XSS-Protection': ['1; mode=block'], + 'X-Content-Type-Options': ['nosniff'], + 'X-Robots-Tag': ['none'], + 'X-Frame-Options': ['SAMEORIGIN', 'DENY'], + 'X-Download-Options': ['noopen'], + 'X-Permitted-Cross-Domain-Policies': ['none'], }; - for (var header in securityHeaders) { - if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { + var option = securityHeaders[header][0]; + if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== option.toLowerCase()) { + var msg = t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: option}); + if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) { + msg = t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". Some features might not work correctly and we recommend adjusting this setting.', {header: header, expected: option}); + } messages.push({ - msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}), + msg: msg, type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } |