SONAR-23029 fix ssf

author: lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com> 2024-09-12 16:10:38 +0200
committer: sonartech <sonartech@sonarsource.com> 2024-09-13 20:02:35 +0000
commit: daf512d755a7c23a426b297ff7a43b57b33048f3 (patch)
tree: 7fed61796ab0f55fdbd22bbaecbbb4d65b5d3c19 /server/sonar-webserver/src
parent: 4aa45bbc641827cf55b1c01170a405f2d73c1182 (diff)
download: sonarqube-daf512d755a7c23a426b297ff7a43b57b33048f3.tar.gz
sonarqube-daf512d755a7c23a426b297ff7a43b57b33048f3.zip
3 files changed, 8 insertions, 8 deletions
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
index afb7332af2c..ce0687a7011 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -83,11 +83,11 @@ public class SecurityServletFilter implements Filter {
     }
 
     // Cross-site scripting
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+    httpResponse.setHeader("X-XSS-Protection", "0");
 
     // MIME-sniffing
-    // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
     httpResponse.setHeader("X-Content-Type-Options", "nosniff");
   }
 
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
index 338c346eee1..1ab54b7902d 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
@@ -54,7 +54,7 @@ public class SecurityErrorReportValveTest {
     underTest.invoke(request, response);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
   }
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
index 14805dc0ed0..500deeb7e5e 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -99,7 +99,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     assertNull(response.getHeader("Strict-Transport-Security"));
   }
@@ -112,7 +112,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
     verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
   }
@@ -124,7 +124,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
   }
 
@@ -138,7 +138,7 @@ public class SecurityServletFilterTest {
     underTest.doFilter(request, response, chain);
 
     verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
-    verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+    verify(response).setHeader("X-XSS-Protection", "0");
     verify(response).setHeader("X-Content-Type-Options", "nosniff");
   }
author	lukasz-jarocki-sonarsource <lukasz.jarocki@sonarsource.com>	2024-09-12 16:10:38 +0200
committer	sonartech <sonartech@sonarsource.com>	2024-09-13 20:02:35 +0000
commit	daf512d755a7c23a426b297ff7a43b57b33048f3 (patch)
tree	7fed61796ab0f55fdbd22bbaecbbb4d65b5d3c19 /server/sonar-webserver/src
parent	4aa45bbc641827cf55b1c01170a405f2d73c1182 (diff)
download	sonarqube-daf512d755a7c23a426b297ff7a43b57b33048f3.tar.gz sonarqube-daf512d755a7c23a426b297ff7a43b57b33048f3.zip