diff options
| author | Moritz Beck <git@birkenstab.de> | 2018-10-11 13:09:17 +0200 |
|---|---|---|
| committer | Moritz Beck <git@birkenstab.de> | 2018-10-11 13:17:26 +0200 |
| commit | b68661ed6e52bb9b11f8d0a44a556f540857525f (patch) | |
| tree | bca43cb8e4cc9f22281dbcb82f7f720a457a17e3 /core/js/tests | |
| parent | 6e56a7b31e89b7abea4e9bcf78eec21f54dfd74c (diff) | |
| download | nextcloud-server-b68661ed6e52bb9b11f8d0a44a556f540857525f.tar.gz nextcloud-server-b68661ed6e52bb9b11f8d0a44a556f540857525f.zip | |
Allow "same-origin" as "Referrer-Policy"
Fixes #11531
Although "same-origin" is more strict than e.g. strict-origin it showed up a warning in setupcheck
Based on https://scotthelme.co.uk/a-new-security-header-referrer-policy/
Signed-off-by: Moritz Beck <git@birkenstab.de>
Diffstat (limited to 'core/js/tests')
| -rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 38a39cdd746..d16032a5cf5 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -830,7 +830,7 @@ describe('OC.SetupChecks tests', function() { msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', + msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', type: OC.SetupChecks.MESSAGE_TYPE_INFO } ]); @@ -975,7 +975,7 @@ describe('OC.SetupChecks tests', function() { }); }); - it('should return a message if Referrer-Policy is set to same-origin', function(done) { + it('should return no message if Referrer-Policy is set to same-origin', function(done) { protocolStub.returns('https'); var result = OC.SetupChecks.checkGeneric(); @@ -991,12 +991,7 @@ describe('OC.SetupChecks tests', function() { }); result.done(function( data, s, x ){ - expect(data).toEqual([ - { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', - type: OC.SetupChecks.MESSAGE_TYPE_INFO - } - ]); + expect(data).toEqual([]); done(); }); }); @@ -1019,7 +1014,7 @@ describe('OC.SetupChecks tests', function() { result.done(function( data, s, x ){ expect(data).toEqual([ { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', + msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', type: OC.SetupChecks.MESSAGE_TYPE_INFO } ]); @@ -1045,7 +1040,7 @@ describe('OC.SetupChecks tests', function() { result.done(function( data, s, x ){ expect(data).toEqual([ { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', + msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', type: OC.SetupChecks.MESSAGE_TYPE_INFO } ]); @@ -1071,7 +1066,7 @@ describe('OC.SetupChecks tests', function() { result.done(function( data, s, x ){ expect(data).toEqual([ { - msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', + msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.', type: OC.SetupChecks.MESSAGE_TYPE_INFO } ]); |