From 6eb466776b642c5689f6f4c216eddf0d302566c0 Mon Sep 17 00:00:00 2001
From: Daniel Kesselberg <mail@danielkesselberg.de>
Date: Wed, 26 Feb 2020 23:14:38 +0100
Subject: [PATCH] Don't show referrer policy warning if fallback policy set.

Test-Set:

no-referrer-when-downgrade
no-referrer
strict-origin-when-cross-origin
same-origin
no-referrer, strict-origin-when-cross-origin
strict-origin-
unsafe-raw, same-origin
strict-origin-when-downgrade

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
---
 core/js/setupchecks.js | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 1e50644aa2..95fb4f6b21 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -573,12 +573,8 @@
 					});
 				}
 
-				if (!xhr.getResponseHeader('Referrer-Policy') ||
-					(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
-					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
-					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin' &&
-					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin' &&
-					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'same-origin')) {
+				const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
+				if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
 					messages.push({
 						msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
 							{
@@ -591,7 +587,7 @@
 								link: 'https://www.w3.org/TR/referrer-policy/'
 							}),
 						type: OC.SetupChecks.MESSAGE_TYPE_INFO
-					});
+					})
 				}
 			} else {
 				messages.push({