Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/core/js/setupchecks.js
diff options
context:
space:
mode:
Diffstat (limited to 'core/js/setupchecks.js')
-rw-r--r--core/js/setupchecks.js19
1 files changed, 16 insertions, 3 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 1fe9e770777..ca7d979f5f3 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -427,7 +427,6 @@
if (xhr.status === 200) {
var securityHeaders = {
- 'X-XSS-Protection': ['1; mode=block'],
'X-Content-Type-Options': ['nosniff'],
'X-Robots-Tag': ['none'],
'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
@@ -448,19 +447,33 @@
}
}
+ var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
+ if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
+ messages.push({
+ msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+ {
+ header: 'X-XSS-Protection',
+ expected: '1; mode=block'
+ }),
+ type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+ });
+ }
+
if (!xhr.getResponseHeader('Referrer-Policy') ||
(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin' &&
- xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin')) {
+ xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin' &&
+ xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'same-origin')) {
messages.push({
- msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}" or "{val4}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
+ msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
{
header: 'Referrer-Policy',
val1: 'no-referrer',
val2: 'no-referrer-when-downgrade',
val3: 'strict-origin',
val4: 'strict-origin-when-cross-origin',
+ val5: 'same-origin',
link: 'https://www.w3.org/TR/referrer-policy/'
}),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-22 21:37:34 +0300