Skip to content

Commit

Permalink
Add referrer policy setup check
Browse files Browse the repository at this point in the history 
Fixes #9122

Based on https://www.w3.org/TR/referrer-policy/ and
https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Setting a sane Referrer-Policy will tell the browser if/when to send
referrer headers when accessing a link from Nextcloud. When configured
properly this results in less tracking and less leaking of (possibly)
sensitive urls

* Fix tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
  • Loading branch information
@rullzer
rullzer committed Jun 2, 2018
1 parent d9238b8 commit b7aca0e
Show file tree
Hide file tree
Showing 2 changed files with 223 additions and 1 deletion.
19 changes: 19 additions & 0 deletions core/js/setupchecks.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,25 @@
});
}
}

if (!xhr.getResponseHeader('Referrer-Policy') ||
(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin' &&
xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'strict-origin-when-cross-origin')) {
messages.push({
msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}" or "{val4}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation</a>.',
{
header: 'Referrer-Policy',
val1: 'no-referrer',
val2: 'no-referrer-when-downgrade',
val3: 'strict-origin',
val4: 'strict-origin-when-cross-origin',
link: 'https://www.w3.org/TR/referrer-policy/'
}),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
Expand Down
205 changes: 204 additions & 1 deletion core/js/tests/specs/setupchecksSpec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,10 @@ describe('OC.SetupChecks tests', function() {
}, {
msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
},
}, {
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
Expand All @@ -556,6 +559,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security': 'max-age=15768000;preload',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);

Expand Down Expand Up @@ -585,6 +589,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security': 'max-age=15768000',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer'
}
);

Expand All @@ -593,6 +598,196 @@ describe('OC.SetupChecks tests', function() {
done();
});
});

describe('check Referrer-Policy header', function() {
it('should return no message if Reffere-Policy is set to no-referrer', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});

async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});

it('should return no message if Reffere-Policy is set to no-referrer-when-downgrade', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer-when-downgrade',
});

async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});

it('should return no message if Reffere-Policy is set to strict-origin', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'strict-origin',
});

async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});

it('should return no message if Reffere-Policy is set to strict-origin-when-cross-origin', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'strict-origin-when-cross-origin',
});

async.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});

it('should return a message if Reffere-Policy is set to same-origin', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'same-origin',
});

async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});

it('should return a message if Reffere-Policy is set to origin', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'origin',
});

async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});

it('should return a message if Reffere-Policy is set to origin-when-cross-origin', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'origin-when-cross-origin',
});

async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});

it('should return a message if Reffere-Policy is set to unsafe-url', function(done) {
protocolStub.returns('https');
var async = OC.SetupChecks.checkGeneric();

suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'unsafe-url',
});

async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}
]);
done();
});
});
});
});

it('should return a SSL warning if HTTPS is not used', function(done) {
Expand All @@ -607,6 +802,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);

Expand Down Expand Up @@ -653,6 +849,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);

Expand All @@ -678,6 +875,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);

Expand All @@ -703,6 +901,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
}
);

Expand All @@ -727,6 +926,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});

async.done(function( data, s, x ){
Expand All @@ -747,6 +947,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});

async.done(function( data, s, x ){
Expand All @@ -767,6 +968,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});

async.done(function( data, s, x ){
Expand All @@ -787,6 +989,7 @@ describe('OC.SetupChecks tests', function() {
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});

async.done(function( data, s, x ){
Expand Down

0 comments on commit b7aca0e

Please sign in to comment.