wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix failing tests and add some more

Browse source 
Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
This commit is contained in:
Daniel Peukert 2018-10-17 18:22:05 +02:00
parent 2da4f96bd6
commit 7a5d6ac15c
1 changed files with 106 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

114
core/js/tests/specs/setupchecksSpec.js
View file

@ -811,9 +811,6 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
@ -829,6 +826,9 @@ describe('OC.SetupChecks tests', function() {
}, {
msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
@ -855,13 +855,15 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
}, {
expect(data).toEqual([
{
msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
}, {
msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
}
]);
done();
});
});
@ -890,6 +892,102 @@ describe('OC.SetupChecks tests', function() {
});
});
describe('check X-XSS-Protection header', function() {
it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block; report=https://example.com',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([]);
done();
});
});
it('should return a message if X-XSS-Protection is set to 1', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}
]);
done();
});
});
it('should return a message if X-XSS-Protection is set to 0', function(done) {
protocolStub.returns('https');
var result = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '0',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
'Referrer-Policy': 'no-referrer',
});
result.done(function( data, s, x ){
expect(data).toEqual([
{
msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}
]);
done();
});
});
});
describe('check Referrer-Policy header', function() {
it('should return no message if Referrer-Policy is set to no-referrer', function(done) {
protocolStub.returns('https');