Check if the X-XSS-Protection header contains the required fields

Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
This commit is contained in:
Daniel Peukert 2018-10-17 14:28:51 +02:00
parent 7c8b3c1056
commit b2dfcb5a18
1 changed files with 12 additions and 1 deletions

View File

@ -422,7 +422,6 @@
if (xhr.status === 200) { if (xhr.status === 200) {
var securityHeaders = { var securityHeaders = {
'X-XSS-Protection': ['1; mode=block'],
'X-Content-Type-Options': ['nosniff'], 'X-Content-Type-Options': ['nosniff'],
'X-Robots-Tag': ['none'], 'X-Robots-Tag': ['none'],
'X-Frame-Options': ['SAMEORIGIN', 'DENY'], 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
@ -443,6 +442,18 @@
} }
} }
var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(item => item.trim()) : [];
if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
messages.push({
msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
{
header: 'X-XSS-Protection',
expected: '1; mode=block'
}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
if (!xhr.getResponseHeader('Referrer-Policy') || if (!xhr.getResponseHeader('Referrer-Policy') ||
(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' && (xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' && xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&