From 9e57c645e7e73a2e44fb6e34049daaebfff648de Mon Sep 17 00:00:00 2001 From: ho4ho <42564859+ho4ho@users.noreply.github.com> Date: Sat, 16 Jan 2021 11:58:32 +0100 Subject: [PATCH] Change X-XSS-Protection "1; block" -> "0" --- .htaccess | 2 +- core/js/setupchecks.js | 2 +- core/js/tests/specs/setupchecksSpec.js | 22 +++++++++---------- lib/private/legacy/response.php | 2 +- .../apiWebdavOperations/downloadFile.feature | 2 +- tests/data/setUploadLimit/htaccess | 2 +- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.htaccess b/.htaccess index 1debe7817a0a..5a97e001165a 100644 --- a/.htaccess +++ b/.htaccess @@ -18,7 +18,7 @@ Header unset X-Content-Type-Options Header always set X-Content-Type-Options "nosniff" Header unset X-XSS-Protection - Header always set X-XSS-Protection "1; mode=block" + Header always set X-XSS-Protection "0" Header unset X-Robots-Tag Header always set X-Robots-Tag "none" Header unset X-Frame-Options diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 0b27d1ff7a2d..0f22c392bf71 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -236,7 +236,7 @@ if (xhr.status === 200) { var securityHeaders = { - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 5e5d5c760a25..bbcb160ef1a6 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -416,7 +416,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([ { - msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', + msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', @@ -457,7 +457,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.', + msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING, }, { msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.', @@ -474,7 +474,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond( 200, { - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -497,7 +497,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -543,7 +543,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -568,7 +568,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'max-age=15551999', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -593,7 +593,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'iAmABogusHeader342', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -617,7 +617,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'max-age=15768000', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -637,7 +637,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'max-age=99999999', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -657,7 +657,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'max-age=99999999; includeSubDomains', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', @@ -677,7 +677,7 @@ describe('OC.SetupChecks tests', function() { suite.server.requests[0].respond(200, { 'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains', - 'X-XSS-Protection': '1; mode=block', + 'X-XSS-Protection': '0', 'X-Content-Type-Options': 'nosniff', 'X-Robots-Tag': 'none', 'X-Frame-Options': 'SAMEORIGIN', diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php index 5dc458a2051c..76fc3f8c0b0c 100644 --- a/lib/private/legacy/response.php +++ b/lib/private/legacy/response.php @@ -258,7 +258,7 @@ public static function addSecurityHeaders() { // Send fallback headers for installations that don't have the possibility to send // custom headers on the webserver side if (\getenv('modHeadersAvailable') !== 'true') { - \header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + \header('X-XSS-Protection: 0'); // Disable browser based XSS filters: https://github.com/owncloud/core/issues/38236 \header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE \header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains \header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag diff --git a/tests/acceptance/features/apiWebdavOperations/downloadFile.feature b/tests/acceptance/features/apiWebdavOperations/downloadFile.feature index 172819562793..245530c67029 100644 --- a/tests/acceptance/features/apiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/apiWebdavOperations/downloadFile.feature @@ -53,7 +53,7 @@ Feature: download file | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none | | X-Robots-Tag | none | - | X-XSS-Protection | 1; mode=block | + | X-XSS-Protection | 0 | And the downloaded content should start with "Welcome" Examples: | dav_version | diff --git a/tests/data/setUploadLimit/htaccess b/tests/data/setUploadLimit/htaccess index 65957a298383..9190fc9cf1e0 100644 --- a/tests/data/setUploadLimit/htaccess +++ b/tests/data/setUploadLimit/htaccess @@ -10,7 +10,7 @@ # Add security and privacy related headers Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" + Header set X-XSS-Protection "0" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN" SetEnv modHeadersAvailable true