1 files changed, 17 insertions, 45 deletions

diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
index fb8eb757460..1f75907d427 100644
--- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
+++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@@ -3,27 +3,10 @@
 declare(strict_types=1);
 
 /**
- * @copyright Copyright (c) 2024 Côme Chilliet <come.chilliet@nextcloud.com>
- *
- * @author Côme Chilliet <come.chilliet@nextcloud.com>
- *
- * @license AGPL-3.0-or-later
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
  */
-namespace OCA\Settings\Tests;
+namespace OCA\Settings\Tests\SetupChecks;
 
 use OCA\Settings\SetupChecks\SecurityHeaders;
 use OCP\Http\Client\IClientService;
@@ -37,19 +20,17 @@ use Psr\Log\LoggerInterface;
 use Test\TestCase;
 
 class SecurityHeadersTest extends TestCase {
-	private IL10N|MockObject $l10n;
-	private IConfig|MockObject $config;
-	private IURLGenerator|MockObject $urlGenerator;
-	private IClientService|MockObject $clientService;
-	private LoggerInterface|MockObject $logger;
-	private SecurityHeaders|MockObject $setupcheck;
+	private IL10N&MockObject $l10n;
+	private IConfig&MockObject $config;
+	private IURLGenerator&MockObject $urlGenerator;
+	private IClientService&MockObject $clientService;
+	private LoggerInterface&MockObject $logger;
+	private SecurityHeaders&MockObject $setupcheck;
 
 	protected function setUp(): void {
 		parent::setUp();
 
-		/** @var IL10N|MockObject */
-		$this->l10n = $this->getMockBuilder(IL10N::class)
-			->disableOriginalConstructor()->getMock();
+		$this->l10n = $this->createMock(IL10N::class);
 		$this->l10n->expects($this->any())
 			->method('t')
 			->willReturnCallback(function ($message, array $replace) {
@@ -103,17 +84,16 @@ class SecurityHeadersTest extends TestCase {
 
 		$result = $this->setupcheck->run();
 		$this->assertEquals(
-			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
 			$result->getDescription()
 		);
 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
 	}
 
-	public function dataSuccess(): array {
+	public static function dataSuccess(): array {
 		return [
 			// description => modifiedHeaders
 			'basic' => [[]],
-			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
 			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
 			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
 			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
@@ -126,13 +106,10 @@ class SecurityHeadersTest extends TestCase {
 		];
 	}
 
-	/**
-	 * @dataProvider dataSuccess
-	 */
-	public function testSuccess($headers): void {
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataSuccess')]
+	public function testSuccess(array $headers): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
@@ -155,12 +132,10 @@ class SecurityHeadersTest extends TestCase {
 		$this->assertEquals(SetupResult::SUCCESS, $result->getSeverity());
 	}
 
-	public function dataFailure(): array {
+	public static function dataFailure(): array {
 		return [
 			// description => modifiedHeaders
 			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
 			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
@@ -170,13 +145,10 @@ class SecurityHeadersTest extends TestCase {
 		];
 	}
 
-	/**
-	 * @dataProvider dataFailure
-	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataFailure')]
 	public function testFailure(array $headers, string $msg): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
@@ -193,7 +165,7 @@ class SecurityHeadersTest extends TestCase {
 
 		$result = $this->setupcheck->run();
 		$this->assertEquals(
-			'Some headers are not set correctly on your instance'."\n$msg",
+			'Some headers are not set correctly on your instance' . "\n$msg",
 			$result->getDescription()
 		);
 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());