diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 33 | ||||
| -rw-r--r-- | lib/private/appframework/app.php | 2 | ||||
| -rw-r--r-- | lib/private/appframework/http/request.php | 2 | ||||
| -rw-r--r-- | lib/private/response.php | 12 | ||||
| -rw-r--r-- | lib/private/user/session.php | 2 |
5 files changed, 7 insertions, 44 deletions
diff --git a/lib/base.php b/lib/base.php index 1f2e90deefd..84616090ec8 100644 --- a/lib/base.php +++ b/lib/base.php @@ -247,34 +247,6 @@ class OC { } } - public static function checkSSL() { - $request = \OC::$server->getRequest(); - - // redirect to https site if configured - if (\OC::$server->getSystemConfig()->getValue('forcessl', false)) { - // Default HSTS policy - $header = 'Strict-Transport-Security: max-age=31536000'; - - // If SSL for subdomains is enabled add "; includeSubDomains" to the header - if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains', false)) { - $header .= '; includeSubDomains'; - } - header($header); - ini_set('session.cookie_secure', true); - - if ($request->getServerProtocol() <> 'https' && !OC::$CLI) { - $url = 'https://' . $request->getServerHost() . $request->getRequestUri(); - header("Location: $url"); - exit(); - } - } else { - // Invalidate HSTS headers - if ($request->getServerProtocol() === 'https') { - header('Strict-Transport-Security: max-age=0'); - } - } - } - public static function checkMaintenanceMode() { // Allow ajax update script to execute without being stopped if (\OC::$server->getSystemConfig()->getValue('maintenance', false) && OC::$SUBURI != '/core/ajax/update.php') { @@ -569,8 +541,11 @@ class OC { self::initTemplateEngine(); self::checkConfig(); self::checkInstalled(); - self::checkSSL(); + OC_Response::addSecurityHeaders(); + if(self::$server->getRequest()->getServerProtocol() === 'https') { + ini_set('session.cookie_secure', true); + } $errors = OC_Util::checkServer(\OC::$server->getConfig()); if (count($errors) > 0) { diff --git a/lib/private/appframework/app.php b/lib/private/appframework/app.php index 6d54b931d5a..1e1915c85d8 100644 --- a/lib/private/appframework/app.php +++ b/lib/private/appframework/app.php @@ -123,7 +123,7 @@ class App { $expireDate, $container->getServer()->getWebRoot(), null, - $container->getServer()->getConfig()->getSystemValue('forcessl', false), + $container->getServer()->getRequest()->getServerProtocol() === 'https', true ); } diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index f6a89b358db..b1b4b713287 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -475,7 +475,7 @@ class Request implements \ArrayAccess, \Countable, IRequest { private function isOverwriteCondition($type = '') { $regex = '/' . $this->config->getSystemValue('overwritecondaddr', '') . '/'; return $regex === '//' || preg_match($regex, $this->server['REMOTE_ADDR']) === 1 - || ($type !== 'protocol' && $this->config->getSystemValue('forcessl', false)); + || $type !== 'protocol'; } /** diff --git a/lib/private/response.php b/lib/private/response.php index 600b702810c..2bec5e3decd 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -195,15 +195,6 @@ class OC_Response { * components (e.g. SabreDAV) also benefit from this headers. */ public static function addSecurityHeaders() { - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters - header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - - // iFrame Restriction Policy - $xFramePolicy = OC_Config::getValue('xframe_restriction', true); - if ($xFramePolicy) { - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains - } - /** * FIXME: Content Security Policy for legacy ownCloud components. This * can be removed once \OCP\AppFramework\Http\Response from the AppFramework @@ -219,9 +210,6 @@ class OC_Response { . 'media-src *; ' . 'connect-src *'; header('Content-Security-Policy:' . $policy); - - // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag - header('X-Robots-Tag: none'); } } diff --git a/lib/private/user/session.php b/lib/private/user/session.php index 67a4c7a4361..a7567952053 100644 --- a/lib/private/user/session.php +++ b/lib/private/user/session.php @@ -265,7 +265,7 @@ class Session implements IUserSession, Emitter { * @param string $token */ public function setMagicInCookie($username, $token) { - $secureCookie = \OC_Config::getValue("forcessl", false); //TODO: DI for cookies and OC_Config + $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https'; $expires = time() + \OC_Config::getValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secureCookie, true); setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secureCookie, true); |