diff --git a/.htaccess b/.htaccess index d86ed7162d..1b51678956 100644 --- a/.htaccess +++ b/.htaccess @@ -12,6 +12,8 @@ Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN" + Header set X-Download-Options "noopen" + Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 2f0cc4c7b3..2fa119334d 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -208,7 +208,9 @@ 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index bb5d6d3881..fff169ec09 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -389,7 +389,14 @@ describe('OC.SetupChecks tests', function() { }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); + }, { + msg: 'The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, { + msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }, + ]); done(); }); }); @@ -403,7 +410,9 @@ describe('OC.SetupChecks tests', function() { { 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000;preload' + 'Strict-Transport-Security': 'max-age=15768000;preload', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -430,7 +439,9 @@ describe('OC.SetupChecks tests', function() { 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', - 'Strict-Transport-Security': 'max-age=15768000' + 'Strict-Transport-Security': 'max-age=15768000', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -450,7 +461,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -494,7 +507,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -517,7 +532,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -540,7 +557,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', } ); @@ -562,7 +581,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -580,7 +601,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -598,7 +621,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ @@ -616,7 +641,9 @@ describe('OC.SetupChecks tests', function() { 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', - 'X-Frame-Options': 'SAMEORIGIN' + 'X-Frame-Options': 'SAMEORIGIN', + 'X-Download-Options': 'noopen', + 'X-Permitted-Cross-Domain-Policies': 'none', }); async.done(function( data, s, x ){ diff --git a/lib/private/response.php b/lib/private/response.php index c839bd3abe..5c7eb9b52d 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -260,6 +260,8 @@ class OC_Response { header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag + header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx + header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html } }