diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-01-11 21:20:42 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-01-12 10:37:16 +0100 |
| commit | 4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6 (patch) | |
| tree | 425251b10adc5a1d8791ce658f10a0058bf16a4d /core | |
| parent | 3317dd0a8e2ca265172d53a16f9241f3351aa3b8 (diff) | |
| download | nextcloud-server-4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6.tar.gz nextcloud-server-4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6.zip | |
Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
Diffstat (limited to 'core')
| -rw-r--r-- | core/js/setupchecks.js | 4 | ||||
| -rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 49 |
2 files changed, 41 insertions, 12 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index b1b8dd358d2..f6485c4218c 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -202,7 +202,9 @@ 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 18ba44ac61b..d8d3d68b7a0 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -380,7 +380,14 @@ describe('OC.SetupChecks tests', function() { }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { + msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, + ]); done(); }); }); @@ -394,7 +401,9 @@ describe('OC.SetupChecks tests', function() { { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload' + 'Strict-Transport-Security': 'max-age=15768000;preload', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -421,7 +430,9 @@ describe('OC.SetupChecks tests', function() { 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000' + 'Strict-Transport-Security': 'max-age=15768000', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -441,7 +452,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -485,7 +498,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -508,7 +523,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -531,7 +548,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -553,7 +572,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -571,7 +592,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -589,7 +612,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -607,7 +632,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ |