summaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorDaniel Peukert <dan.peukert@gmail.com>2018-10-17 14:28:51 +0200
committerDaniel Peukert <dan.peukert@gmail.com>2018-10-17 14:28:51 +0200
commitb2dfcb5a18d8988f8173b993acb5931bb09263c6 (patch)
treee9d4024147859c9d6da95c857c214510f73c4b4d /core
parent7c8b3c1056d2549734ec4bb9ed547468ca2c2331 (diff)
downloadnextcloud-server-b2dfcb5a18d8988f8173b993acb5931bb09263c6.tar.gz
nextcloud-server-b2dfcb5a18d8988f8173b993acb5931bb09263c6.zip
Check if the X-XSS-Protection header contains the required fields
Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
Diffstat (limited to 'core')
-rw-r--r--core/js/setupchecks.js13
1 files changed, 12 insertions, 1 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index de329a8ca5c..ac752f1458c 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -422,7 +422,6 @@
if (xhr.status === 200) {
var securityHeaders = {
- 'X-XSS-Protection': ['1; mode=block'],
'X-Content-Type-Options': ['nosniff'],
'X-Robots-Tag': ['none'],
'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
@@ -443,6 +442,18 @@
}
}
+ var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(item => item.trim()) : [];
+ if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
+ messages.push({
+ msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+ {
+ header: 'X-XSS-Protection',
+ expected: '1; mode=block'
+ }),
+ type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+ });
+ }
+
if (!xhr.getResponseHeader('Referrer-Policy') ||
(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-01 11:03:02 +0000