diff options
Diffstat (limited to 'core/js/setupchecks.js')
-rw-r--r-- | core/js/setupchecks.js | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 1fe9e770777..ca7d979f5f3 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -427,7 +427,6 @@ if (xhr.status === 200) { var securityHeaders = { - 'X-XSS-Protection': ['1; mode=block'], 'X-Content-Type-Options': ['nosniff'], 'X-Robots-Tag': ['none'], 'X-Frame-Options': ['SAMEORIGIN', 'DENY'], @@ -448,19 +447,33 @@ } } + var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : []; + if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) { + messages.push({ + msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', + { + header: 'X-XSS-Protection', + expected: '1; mode=block' + }), + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }); + } + if (!xhr.getResponseHeader('Referrer-Policy') || (xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' && xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' && xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin' && - xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin')) { + xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin' && + xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'same-origin')) { messages.push({ - msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}" or "{val4}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.', + msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.', { header: 'Referrer-Policy', val1: 'no-referrer', val2: 'no-referrer-when-downgrade', val3: 'strict-origin', val4: 'strict-origin-when-cross-origin', + val5: 'same-origin', link: 'https://www.w3.org/TR/referrer-policy/' }), type: OC.SetupChecks.MESSAGE_TYPE_INFO |