diff --git a/.htaccess b/.htaccess index 164a630b75f..fb86475eef0 100644 --- a/.htaccess +++ b/.htaccess @@ -40,9 +40,6 @@ Header onsuccess unset X-Robots-Tag Header always set X-Robots-Tag "noindex, nofollow" - Header onsuccess unset X-XSS-Protection - Header always set X-XSS-Protection "1; mode=block" - SetEnv modHeadersAvailable true diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index ed4e56218da..9cc6856a170 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -72,11 +72,6 @@ class SecurityHeaders implements ISetupCheck { } } - $xssFields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection'))); - if (!in_array('1', $xssFields) || !in_array('mode=block', $xssFields)) { - $msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block']) . "\n"; - } - $referrerPolicy = $response->getHeader('Referrer-Policy'); if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) { $msg .= $this->l10n->t( diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index e7d87775485..17e631b0025 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -84,7 +84,7 @@ class SecurityHeadersTest extends TestCase { $result = $this->setupcheck->run(); $this->assertEquals( - "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n", + "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n", $result->getDescription() ); $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); @@ -94,7 +94,6 @@ class SecurityHeadersTest extends TestCase { return [ // description => modifiedHeaders 'basic' => [[]], - 'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']], 'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']], 'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], 'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']], @@ -113,7 +112,6 @@ class SecurityHeadersTest extends TestCase { public function testSuccess(array $headers): void { $headers = array_merge( [ - 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Robots-Tag' => 'noindex, nofollow', 'X-Frame-Options' => 'SAMEORIGIN', @@ -140,8 +138,6 @@ class SecurityHeadersTest extends TestCase { return [ // description => modifiedHeaders 'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], - 'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], - 'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], 'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], @@ -157,7 +153,6 @@ class SecurityHeadersTest extends TestCase { public function testFailure(array $headers, string $msg): void { $headers = array_merge( [ - 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Robots-Tag' => 'noindex, nofollow', 'X-Frame-Options' => 'SAMEORIGIN', diff --git a/build/integration/dav_features/carddav.feature b/build/integration/dav_features/carddav.feature index f1ea46af886..35e85639817 100644 --- a/build/integration/dav_features/carddav.feature +++ b/build/integration/dav_features/carddav.feature @@ -49,7 +49,6 @@ Feature: carddav |X-Frame-Options|SAMEORIGIN| |X-Permitted-Cross-Domain-Policies|none| |X-Robots-Tag|noindex, nofollow| - |X-XSS-Protection|1; mode=block| Scenario: Exporting the picture of ones own contact Given "admin" creates an addressbook named "MyAddressbook" with statuscode "201" @@ -63,7 +62,6 @@ Feature: carddav |X-Frame-Options|SAMEORIGIN| |X-Permitted-Cross-Domain-Policies|none| |X-Robots-Tag|noindex, nofollow| - |X-XSS-Protection|1; mode=block| Scenario: Create addressbook request for non-existing addressbook of another user Given user "user0" exists diff --git a/build/integration/dav_features/dav-v2.feature b/build/integration/dav_features/dav-v2.feature index 9eae9a1b5fd..dbd2295497f 100644 --- a/build/integration/dav_features/dav-v2.feature +++ b/build/integration/dav_features/dav-v2.feature @@ -41,7 +41,6 @@ Feature: dav-v2 |X-Frame-Options|SAMEORIGIN| |X-Permitted-Cross-Domain-Policies|none| |X-Robots-Tag|noindex, nofollow| - |X-XSS-Protection|1; mode=block| And Downloaded content should start with "Welcome to your Nextcloud account!" Scenario: Doing a GET with a web login should work without CSRF token on the new backend diff --git a/build/integration/dav_features/webdav-related.feature b/build/integration/dav_features/webdav-related.feature index f439330838c..12fd3d44c4f 100644 --- a/build/integration/dav_features/webdav-related.feature +++ b/build/integration/dav_features/webdav-related.feature @@ -291,7 +291,6 @@ Feature: webdav-related |X-Frame-Options|SAMEORIGIN| |X-Permitted-Cross-Domain-Policies|none| |X-Robots-Tag|noindex, nofollow| - |X-XSS-Protection|1; mode=block| And Downloaded content should start with "Welcome to your Nextcloud account!" Scenario: Doing a GET with a web login should work without CSRF token on the old backend diff --git a/lib/private/legacy/OC_Response.php b/lib/private/legacy/OC_Response.php index 86274f5fcb7..c45852b4b1d 100644 --- a/lib/private/legacy/OC_Response.php +++ b/lib/private/legacy/OC_Response.php @@ -78,7 +78,6 @@ class OC_Response { header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters } } } diff --git a/tests/data/setUploadLimit/htaccess b/tests/data/setUploadLimit/htaccess index 53f743f45e7..06e2c7ec2e4 100644 --- a/tests/data/setUploadLimit/htaccess +++ b/tests/data/setUploadLimit/htaccess @@ -10,7 +10,6 @@ # Add security and privacy related headers Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "noindex, nofollow" Header set X-Frame-Options "SAMEORIGIN" SetEnv modHeadersAvailable true