diff --git a/changelog/unreleased/40715 b/changelog/unreleased/40715 new file mode 100644 index 000000000000..8a164604e080 --- /dev/null +++ b/changelog/unreleased/40715 @@ -0,0 +1,7 @@ +Enhancement: Improve X-Robots-Tag header values check + +Setup checks now allows other values other than "none" for X-Robots-Tag header. +If "none" or "noindex" and "nofollow" are missing, a security warning is raised. +Previously a header value with "noindex" and "nofollow" wasn't allowed even though it was valid. + +https://github.com/owncloud/core/pull/40715 diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 3e4e5097b30e..b4fd2d2c7822 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -238,17 +238,34 @@ var securityHeaders = { 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', - 'X-Robots-Tag': 'none', + 'X-Robots-Tag': ['none', 'noindex', 'nofollow'], 'X-Frame-Options': 'SAMEORIGIN', 'X-Download-Options': 'noopen', 'X-Permitted-Cross-Domain-Policies': 'none', }; for (var header in securityHeaders) { - if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { + if (header === 'X-Robots-Tag') { + xRobotsTagValues = []; + if (xhr.getResponseHeader(header)) { + xRobotsTagValues = xhr.getResponseHeader(header).split(',').map(function(item) { + return item.trim(); + }); + } + + var hasNoneDirective = xRobotsTagValues.indexOf('none') !== -1; + var hasNoIndexAndNoFollowDirectives = xRobotsTagValues.indexOf('noindex') !== -1 && xRobotsTagValues.indexOf('nofollow') !== -1; + + if (!hasNoneDirective && !hasNoIndexAndNoFollowDirectives) { + messages.push({ + msg: t('core', 'The "{header}" HTTP header is misconfigured. Expected values are "none" or "noindex, nofollow". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header}), + type: OC.SetupChecks.MESSAGE_TYPE_WARNING + }); + } + } else if (!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) { messages.push({ - msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}), - type: OC.SetupChecks.MESSAGE_TYPE_WARNING + msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}), + type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } } diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 6a9c4137c86d..759e5923ccc0 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -422,9 +422,8 @@ describe('OC.SetupChecks tests', function() { msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.', + msg: 'The "X-Robots-Tag" HTTP header is misconfigured. Expected values are "none" or "noindex, nofollow". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }, { msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING