Fix X-Robots-Tag header valid values check

changelog/unreleased/40715

@@ -0,0 +1,7 @@
+Enhancement: Improve X-Robots-Tag header values check
+
+Setup checks now allows other values other than "none" for X-Robots-Tag header.
+If "none" or "noindex" and "nofollow" are missing, a security warning is raised.
+Previously a header value with "noindex" and "nofollow" wasn't allowed even though it was valid.
+
+https://github.com/owncloud/core/pull/40715

core/js/setupchecks.js

@@ -238,17 +238,34 @@
 				var securityHeaders = {
 					'X-XSS-Protection': '0',
 					'X-Content-Type-Options': 'nosniff',
-					'X-Robots-Tag': 'none',
+					'X-Robots-Tag': ['none', 'noindex', 'nofollow'],
 					'X-Frame-Options': 'SAMEORIGIN',
 					'X-Download-Options': 'noopen',
 					'X-Permitted-Cross-Domain-Policies': 'none',
 				};
 
 				for (var header in securityHeaders) {
-					if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
+					if (header === 'X-Robots-Tag') {
+						xRobotsTagValues = [];
+						if (xhr.getResponseHeader(header)) {
+							xRobotsTagValues = xhr.getResponseHeader(header).split(',').map(function(item) {
+								return item.trim();
+							});
+						}
+
+						var hasNoneDirective = xRobotsTagValues.indexOf('none') !== -1;
+						var hasNoIndexAndNoFollowDirectives = xRobotsTagValues.indexOf('noindex') !== -1 && xRobotsTagValues.indexOf('nofollow') !== -1;
+
+						if (!hasNoneDirective && !hasNoIndexAndNoFollowDirectives) {
+							messages.push({
+								msg: t('core', 'The "{header}" HTTP header is misconfigured. Expected values are "none" or "noindex, nofollow". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header}),
+								type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+							});
+						}
+					} else if (!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
 						messages.push({
-							msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),
-							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+						    msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),
+						    type: OC.SetupChecks.MESSAGE_TYPE_WARNING
 						});
 					}
 				}

core/js/tests/specs/setupchecksSpec.js

@@ -422,9 +422,8 @@ describe('OC.SetupChecks tests', function() {
 					msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
 				}, {
-					msg: 'The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.',
+					msg: 'The "X-Robots-Tag" HTTP header is misconfigured. Expected values are "none" or "noindex, nofollow". This is a potential security or privacy risk and we recommend adjusting this setting.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-
 				}, {
 					msg: 'The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING