diff options
| author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-01-13 10:33:58 +0100 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-01-13 10:33:58 +0100 |
| commit | b1ee51f25577e4c407f525c740692d57b928b30b (patch) | |
| tree | 18f89f1b74093d48725c6a83ab3469a8795325de /core/js | |
| parent | 5565b19382d08df427fbdcf806c2a408a11f7207 (diff) | |
| parent | 4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6 (diff) | |
| download | nextcloud-server-b1ee51f25577e4c407f525c740692d57b928b30b.tar.gz nextcloud-server-b1ee51f25577e4c407f525c740692d57b928b30b.zip | |
Merge pull request #21630 from owncloud/add-some-security-headers-as-hardening
Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Diffstat (limited to 'core/js')
| -rw-r--r-- | core/js/setupchecks.js | 4 | ||||
| -rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 49 |
2 files changed, 41 insertions, 12 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 2f0cc4c7b34..2fa119334db 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -208,7 +208,9 @@ 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index bb5d6d3881f..fff169ec098 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -389,7 +389,14 @@ describe('OC.SetupChecks tests', function() { }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { + msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, + ]); done(); }); }); @@ -403,7 +410,9 @@ describe('OC.SetupChecks tests', function() { { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload' + 'Strict-Transport-Security': 'max-age=15768000;preload', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -430,7 +439,9 @@ describe('OC.SetupChecks tests', function() { 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000' + 'Strict-Transport-Security': 'max-age=15768000', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -450,7 +461,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -494,7 +507,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -517,7 +532,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -540,7 +557,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -562,7 +581,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -580,7 +601,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -598,7 +621,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -616,7 +641,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ |