aboutsummaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorCôme Chilliet <come.chilliet@nextcloud.com>2024-03-07 18:39:38 +0100
committerFerdinand Thiessen <opensource@fthiessen.de>2024-03-13 12:49:52 +0100
commit310377e496ef049340e10b318bd9498b0fa85f0e (patch)
treee299084ebabda7885e0a8a604ad595f0f3ec68c8 /core
parent1fffdf4763c04a04ba5defb53d6df451fe2a75f9 (diff)
downloadnextcloud-server-310377e496ef049340e10b318bd9498b0fa85f0e.tar.gz
nextcloud-server-310377e496ef049340e10b318bd9498b0fa85f0e.zip
fix: Fix Security headers setup check behavior
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'core')
-rw-r--r--core/js/setupchecks.js70
1 files changed, 0 insertions, 70 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 00120d678a8..d11f05858c4 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -169,7 +169,6 @@
var deferred = $.Deferred();
var afterCall = function(data, statusText, xhr) {
var messages = [];
- messages = messages.concat(self._checkSecurityHeaders(xhr));
messages = messages.concat(self._checkSSL(xhr));
deferred.resolve(messages);
};
@@ -184,75 +183,6 @@
},
/**
- * Runs check for some generic security headers on the server side
- *
- * @param {Object} xhr
- * @return {Array} Array with error messages
- */
- _checkSecurityHeaders: function(xhr) {
- var messages = [];
-
- if (xhr.status === 200) {
- var securityHeaders = {
- 'X-Content-Type-Options': ['nosniff'],
- 'X-Robots-Tag': ['noindex, nofollow'],
- 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
- 'X-Permitted-Cross-Domain-Policies': ['none'],
- };
- for (var header in securityHeaders) {
- var option = securityHeaders[header][0];
- if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) {
- var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
- if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
- msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
- }
- messages.push({
- msg: msg,
- type: OC.SetupChecks.MESSAGE_TYPE_WARNING
- });
- }
- }
-
- var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
- if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
- messages.push({
- msg: t('core', 'The "{header}" HTTP header does not contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
- {
- header: 'X-XSS-Protection',
- expected: '1; mode=block'
- }),
- type: OC.SetupChecks.MESSAGE_TYPE_WARNING
- });
- }
-
- const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
- if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
- messages.push({
- msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the {linkstart}W3C Recommendation ↗{linkend}.',
- {
- header: 'Referrer-Policy',
- val1: 'no-referrer',
- val2: 'no-referrer-when-downgrade',
- val3: 'strict-origin',
- val4: 'strict-origin-when-cross-origin',
- val5: 'same-origin'
- })
- .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">')
- .replace('{linkend}', '</a>'),
- type: OC.SetupChecks.MESSAGE_TYPE_INFO
- })
- }
- } else {
- messages.push({
- msg: t('core', 'Error occurred while checking server setup'),
- type: OC.SetupChecks.MESSAGE_TYPE_ERROR
- });
- }
-
- return messages;
- },
-
- /**
* Runs check for some SSL configuration issues on the server side
*
* @param {Object} xhr