From 4d0dcd3c53a4c8c9944bc23d41de71593c3bd5d6 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 11 Jan 2016 21:20:42 +0100 Subject: [PATCH] Add X-Download-Options and X-Permitted-Cross-Domain-Policies Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders--- --- .htaccess | 2 ++ core/js/setupchecks.js | 4 ++- core/js/tests/specs/setupchecksSpec.js | 49 ++++++++++++++++++++------ lib/private/response.php | 2 ++ 4 files changed, 45 insertions(+), 12 deletions(-) diff --git a/.htaccess b/.htaccess index d86ed7162d..1b51678956 100644 --- a/.htaccess +++ b/.htaccess @@ -12,6 +12,8 @@ Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN" + Header set X-Download-Options "noopen" + Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index b1b8dd358d..f6485c4218 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -202,7 +202,9 @@ 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 18ba44ac61..d8d3d68b7a 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -380,7 +380,14 @@ describe('OC.SetupChecks tests', function() { }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { + msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, + ]); done(); }); }); @@ -394,7 +401,9 @@ describe('OC.SetupChecks tests', function() { { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload' + 'Strict-Transport-Security': 'max-age=15768000;preload', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -421,7 +430,9 @@ describe('OC.SetupChecks tests', function() { 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000' + 'Strict-Transport-Security': 'max-age=15768000', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -441,7 +452,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -485,7 +498,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -508,7 +523,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -531,7 +548,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -553,7 +572,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -571,7 +592,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -589,7 +612,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -607,7 +632,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ diff --git a/lib/private/response.php b/lib/private/response.php index b0eb8adc4d..44847466fa 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -260,6 +260,8 @@ class OC_Response { header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx + header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html } }