diff options
| author | Thomas Müller <thomas.mueller@tmit.eu> | 2014-05-12 15:14:01 +0200 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2014-05-12 15:14:01 +0200 |
| commit | 3cd32dcb7c368e48a5a7bf510864c8ddd9be85e8 (patch) | |
| tree | 7aae7904ca1c8c072bbb483fe6a5786c82ad932e /lib | |
| parent | 9a9665f361c42764f5ae9f5f3ce63f71fdfcad5c (diff) | |
| download | nextcloud-server-3cd32dcb7c368e48a5a7bf510864c8ddd9be85e8.tar.gz nextcloud-server-3cd32dcb7c368e48a5a7bf510864c8ddd9be85e8.zip | |
adding X-Robots-Tag to all responses of ownCloud + move addSecurityHeaders() to OC_Response, which seems to be a more reasonable place
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 30 | ||||
| -rw-r--r-- | lib/private/response.php | 32 |
2 files changed, 33 insertions, 29 deletions
diff --git a/lib/base.php b/lib/base.php index f8266ac649f..be613706e64 100644 --- a/lib/base.php +++ b/lib/base.php @@ -212,34 +212,6 @@ class OC { } } - /* - * This function adds some security related headers to all requests served via base.php - * The implementation of this function has to happen here to ensure that all third-party - * components (e.g. SabreDAV) also benefit from this headers. - */ - public static function addSecurityHeaders() { - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters - header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - - // iFrame Restriction Policy - $xFramePolicy = OC_Config::getValue('xframe_restriction', true); - if($xFramePolicy) { - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains - } - - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' - .'script-src \'self\' \'unsafe-eval\'; ' - .'style-src \'self\' \'unsafe-inline\'; ' - .'frame-src *; ' - .'img-src *; ' - .'font-src \'self\' data:; ' - .'media-src *'); - header('Content-Security-Policy:'.$policy); - } - public static function checkSSL() { // redirect to https site if configured if (OC_Config::getValue("forcessl", false)) { @@ -545,7 +517,7 @@ class OC { self::checkConfig(); self::checkInstalled(); self::checkSSL(); - self::addSecurityHeaders(); + OC_Response::addSecurityHeaders(); $errors = OC_Util::checkServer(); if (count($errors) > 0) { diff --git a/lib/private/response.php b/lib/private/response.php index 1aa5e629b8b..4905c0a787b 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -186,4 +186,36 @@ class OC_Response { self::setStatus(self::STATUS_NOT_FOUND); } } + + /* + * This function adds some security related headers to all requests served via base.php + * The implementation of this function has to happen here to ensure that all third-party + * components (e.g. SabreDAV) also benefit from this headers. + */ + public static function addSecurityHeaders() { + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + + // iFrame Restriction Policy + $xFramePolicy = OC_Config::getValue('xframe_restriction', true); + if ($xFramePolicy) { + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + } + + // Content Security Policy + // If you change the standard policy, please also change it in config.sample.php + $policy = OC_Config::getValue('custom_csp_policy', + 'default-src \'self\'; ' + . 'script-src \'self\' \'unsafe-eval\'; ' + . 'style-src \'self\' \'unsafe-inline\'; ' + . 'frame-src *; ' + . 'img-src *; ' + . 'font-src \'self\' data:; ' + . 'media-src *'); + header('Content-Security-Policy:' . $policy); + + // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + header('X-Robots-Tag: none'); + } + } |