@ -1569,7 +1569,7 @@ describe('OC.SetupChecks tests', function() {
msg : 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.' ,
type : OC . SetupChecks . MESSAGE _TYPE _WARNING
} , {
msg : 'The "X-Robots-Tag" HTTP header is not set to "no ne". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
msg : 'The "X-Robots-Tag" HTTP header is not set to "no i nd ex, nofollow ". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type : OC . SetupChecks . MESSAGE _TYPE _WARNING
} , {
msg : 'The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.' ,
@ -1596,7 +1596,7 @@ describe('OC.SetupChecks tests', function() {
suite . server . requests [ 0 ] . respond (
200 ,
{
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'Strict-Transport-Security' : 'max-age=15768000;preload' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
@ -1627,7 +1627,7 @@ describe('OC.SetupChecks tests', function() {
{
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
@ -1641,6 +1641,49 @@ describe('OC.SetupChecks tests', function() {
} ) ;
} ) ;
describe ( 'check X-Robots-Tag header' , function ( ) {
it ( 'should return no message if X-Robots-Tag is set to noindex,nofollow without space' , function ( done ) {
protocolStub . returns ( 'https' ) ;
var result = OC . SetupChecks . checkGeneric ( ) ;
suite . server . requests [ 0 ] . respond ( 200 , {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'noindex,nofollow' ,
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
} ) ;
result . done ( function ( data , s , x ) {
expect ( data ) . toEqual ( [ ] ) ;
done ( ) ;
} ) ;
} ) ;
it ( 'should return a message if X-Robots-Tag is set to none' , function ( done ) {
protocolStub . returns ( 'https' ) ;
var result = OC . SetupChecks . checkGeneric ( ) ;
suite . server . requests [ 0 ] . respond ( 200 , {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'none' ,
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
} ) ;
result . done ( function ( data , s , x ) {
expect ( data ) . toEqual ( [
{
msg : 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.' ,
type : OC . SetupChecks . MESSAGE _TYPE _WARNING
}
] ) ;
done ( ) ;
} ) ;
} ) ;
} ) ;
describe ( 'check X-XSS-Protection header' , function ( ) {
it ( 'should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com' , function ( done ) {
protocolStub . returns ( 'https' ) ;
@ -1650,7 +1693,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block; report=https://example.com' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1670,7 +1713,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1690,7 +1733,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1715,7 +1758,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '0' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1742,7 +1785,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1762,7 +1805,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer-when-downgrade' ,
@ -1782,7 +1825,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'strict-origin' ,
@ -1802,7 +1845,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'strict-origin-when-cross-origin' ,
@ -1822,7 +1865,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'same-origin' ,
@ -1842,7 +1885,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'origin' ,
@ -1867,7 +1910,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'origin-when-cross-origin' ,
@ -1892,7 +1935,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'unsafe-url' ,
@ -1919,7 +1962,7 @@ describe('OC.SetupChecks tests', function() {
{
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1965,7 +2008,7 @@ describe('OC.SetupChecks tests', function() {
{
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -1990,7 +2033,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15551999' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -2015,7 +2058,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'iAmABogusHeader342' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -2039,7 +2082,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=15768000' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -2059,7 +2102,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=99999999' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -2079,7 +2122,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=99999999; includeSubDomains' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,
@ -2099,7 +2142,7 @@ describe('OC.SetupChecks tests', function() {
'Strict-Transport-Security' : 'max-age=99999999; preload; includeSubDomains' ,
'X-XSS-Protection' : '1; mode=block' ,
'X-Content-Type-Options' : 'nosniff' ,
'X-Robots-Tag' : 'no ne',
'X-Robots-Tag' : 'no i nd ex, nofollow ',
'X-Frame-Options' : 'SAMEORIGIN' ,
'X-Permitted-Cross-Domain-Policies' : 'none' ,
'Referrer-Policy' : 'no-referrer' ,