From 4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jan 2016 21:20:42 +0100 Subject: Add X-Download-Options and X-Permitted-Cross-Domain-Policies Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders--- --- core/js/setupchecks.js | 4 ++- core/js/tests/specs/setupchecksSpec.js | 49 ++++++++++++++++++++++++++-------- 2 files changed, 41 insertions(+), 12 deletions(-) (limited to 'core/js') diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index b1b8dd358d2..f6485c4218c 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -202,7 +202,9 @@ 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 18ba44ac61b..d8d3d68b7a0 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -380,7 +380,14 @@ describe('OC.SetupChecks tests', function() { }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { + msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, + ]); done(); }); }); @@ -394,7 +401,9 @@ describe('OC.SetupChecks tests', function() { { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload' + 'Strict-Transport-Security': 'max-age=15768000;preload', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -421,7 +430,9 @@ describe('OC.SetupChecks tests', function() { 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000' + 'Strict-Transport-Security': 'max-age=15768000', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -441,7 +452,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -485,7 +498,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -508,7 +523,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -531,7 +548,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -553,7 +572,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -571,7 +592,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -589,7 +612,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -607,7 +632,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ -- cgit v1.2.3