Skip to content

Commit 1800cc8

Browse files
24039052403905
authored
Merge pull request #11628 from 2403905/issues/OCISDEV-278
feat: [OCISDEV-278] X-XSS-Protection header removed
2 parents 1bdd391 + d9bf690 commit 1800cc8

File tree

8 files changed

+2852
-2287
lines changed

8 files changed

+2852
-2287
lines changed

deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json

Lines changed: 2730 additions & 2156 deletions
Large diffs are not rendered by default.

deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json

Lines changed: 118 additions & 119 deletions
Original file line numberDiff line numberDiff line change
@@ -1962,7 +1962,6 @@
19621962
"xRobotsTag": "none",
19631963
"xFrameOptions": "SAMEORIGIN",
19641964
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
1965-
"xXSSProtection": "1; mode=block",
19661965
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
19671966
},
19681967
"smtpServer": {},
@@ -2161,124 +2160,124 @@
21612160
"supportedLocales": [],
21622161
"authenticationFlows": [
21632162
{
2164-
"id" : "5392b282-096e-4994-a3ad-780eb4023d27",
2165-
"alias" : "step up flow",
2166-
"description" : "browser login flow with step-up mechanism",
2167-
"providerId" : "basic-flow",
2168-
"topLevel" : true,
2169-
"builtIn" : false,
2170-
"authenticationExecutions" : [
2171-
{
2172-
"authenticator" : "auth-cookie",
2173-
"authenticatorFlow" : false,
2174-
"requirement" : "ALTERNATIVE",
2175-
"priority" : 20,
2176-
"autheticatorFlow" : false,
2177-
"userSetupAllowed" : false
2178-
},
2179-
{
2180-
"authenticator" : "auth-spnego",
2181-
"authenticatorFlow" : false,
2182-
"requirement" : "DISABLED",
2183-
"priority" : 25,
2184-
"autheticatorFlow" : false,
2185-
"userSetupAllowed" : false
2186-
},
2187-
{
2188-
"authenticator" : "identity-provider-redirector",
2189-
"authenticatorFlow" : false,
2190-
"requirement" : "ALTERNATIVE",
2191-
"priority" : 30,
2192-
"autheticatorFlow" : false,
2193-
"userSetupAllowed" : false
2194-
},
2195-
{
2196-
"authenticatorFlow" : true,
2197-
"requirement" : "ALTERNATIVE",
2198-
"priority" : 31,
2199-
"autheticatorFlow" : true,
2200-
"flowAlias" : "base step up",
2201-
"userSetupAllowed" : false
2163+
"id": "5392b282-096e-4994-a3ad-780eb4023d27",
2164+
"alias": "step up flow",
2165+
"description": "browser login flow with step-up mechanism",
2166+
"providerId": "basic-flow",
2167+
"topLevel": true,
2168+
"builtIn": false,
2169+
"authenticationExecutions": [
2170+
{
2171+
"authenticator": "auth-cookie",
2172+
"authenticatorFlow": false,
2173+
"requirement": "ALTERNATIVE",
2174+
"priority": 20,
2175+
"autheticatorFlow": false,
2176+
"userSetupAllowed": false
2177+
},
2178+
{
2179+
"authenticator": "auth-spnego",
2180+
"authenticatorFlow": false,
2181+
"requirement": "DISABLED",
2182+
"priority": 25,
2183+
"autheticatorFlow": false,
2184+
"userSetupAllowed": false
2185+
},
2186+
{
2187+
"authenticator": "identity-provider-redirector",
2188+
"authenticatorFlow": false,
2189+
"requirement": "ALTERNATIVE",
2190+
"priority": 30,
2191+
"autheticatorFlow": false,
2192+
"userSetupAllowed": false
2193+
},
2194+
{
2195+
"authenticatorFlow": true,
2196+
"requirement": "ALTERNATIVE",
2197+
"priority": 31,
2198+
"autheticatorFlow": true,
2199+
"flowAlias": "base step up",
2200+
"userSetupAllowed": false
22022201
}
22032202
]
22042203
},
22052204
{
2206-
"id" : "00e79c8a-93b3-4c0d-857f-7bf5be19d0cb",
2207-
"alias" : "base step up",
2208-
"description" : "base step up flow",
2209-
"providerId" : "basic-flow",
2210-
"topLevel" : false,
2211-
"builtIn" : false,
2212-
"authenticationExecutions" : [
2213-
{
2214-
"authenticatorFlow" : true,
2215-
"requirement" : "CONDITIONAL",
2216-
"priority" : 2,
2217-
"autheticatorFlow" : true,
2218-
"flowAlias" : "step up level 1",
2219-
"userSetupAllowed" : false
2220-
},
2221-
{
2222-
"authenticatorFlow" : true,
2223-
"requirement" : "CONDITIONAL",
2224-
"priority" : 3,
2225-
"autheticatorFlow" : true,
2226-
"flowAlias" : "step up level 2",
2227-
"userSetupAllowed" : false
2205+
"id": "00e79c8a-93b3-4c0d-857f-7bf5be19d0cb",
2206+
"alias": "base step up",
2207+
"description": "base step up flow",
2208+
"providerId": "basic-flow",
2209+
"topLevel": false,
2210+
"builtIn": false,
2211+
"authenticationExecutions": [
2212+
{
2213+
"authenticatorFlow": true,
2214+
"requirement": "CONDITIONAL",
2215+
"priority": 2,
2216+
"autheticatorFlow": true,
2217+
"flowAlias": "step up level 1",
2218+
"userSetupAllowed": false
2219+
},
2220+
{
2221+
"authenticatorFlow": true,
2222+
"requirement": "CONDITIONAL",
2223+
"priority": 3,
2224+
"autheticatorFlow": true,
2225+
"flowAlias": "step up level 2",
2226+
"userSetupAllowed": false
22282227
}
22292228
]
22302229
},
22312230
{
2232-
"id" : "32ec29d9-dd12-45ce-bdbc-3e597aca4b51",
2233-
"alias" : "step up level 1",
2234-
"description" : "loa 1 with username and password",
2235-
"providerId" : "basic-flow",
2236-
"topLevel" : false,
2237-
"builtIn" : false,
2238-
"authenticationExecutions" : [
2239-
{
2240-
"authenticatorConfig" : "loa level 1",
2241-
"authenticator" : "conditional-level-of-authentication",
2242-
"authenticatorFlow" : false,
2243-
"requirement" : "REQUIRED",
2244-
"priority" : 0,
2245-
"autheticatorFlow" : false,
2246-
"userSetupAllowed" : false
2247-
},
2248-
{
2249-
"authenticator" : "auth-username-password-form",
2250-
"authenticatorFlow" : false,
2251-
"requirement" : "REQUIRED",
2252-
"priority" : 1,
2253-
"autheticatorFlow" : false,
2254-
"userSetupAllowed" : false
2231+
"id": "32ec29d9-dd12-45ce-bdbc-3e597aca4b51",
2232+
"alias": "step up level 1",
2233+
"description": "loa 1 with username and password",
2234+
"providerId": "basic-flow",
2235+
"topLevel": false,
2236+
"builtIn": false,
2237+
"authenticationExecutions": [
2238+
{
2239+
"authenticatorConfig": "loa level 1",
2240+
"authenticator": "conditional-level-of-authentication",
2241+
"authenticatorFlow": false,
2242+
"requirement": "REQUIRED",
2243+
"priority": 0,
2244+
"autheticatorFlow": false,
2245+
"userSetupAllowed": false
2246+
},
2247+
{
2248+
"authenticator": "auth-username-password-form",
2249+
"authenticatorFlow": false,
2250+
"requirement": "REQUIRED",
2251+
"priority": 1,
2252+
"autheticatorFlow": false,
2253+
"userSetupAllowed": false
22552254
}
22562255
]
22572256
},
22582257
{
2259-
"id" : "b8c46bfb-cf9e-414a-a773-b17e0fdaa475",
2260-
"alias" : "step up level 2",
2261-
"description" : "loa 2 with totp",
2262-
"providerId" : "basic-flow",
2263-
"topLevel" : false,
2264-
"builtIn" : false,
2265-
"authenticationExecutions" : [
2266-
{
2267-
"authenticatorConfig" : "loa level 2",
2268-
"authenticator" : "conditional-level-of-authentication",
2269-
"authenticatorFlow" : false,
2270-
"requirement" : "REQUIRED",
2271-
"priority" : 0,
2272-
"autheticatorFlow" : false,
2273-
"userSetupAllowed" : false
2274-
},
2275-
{
2276-
"authenticator" : "auth-otp-form",
2277-
"authenticatorFlow" : false,
2278-
"requirement" : "REQUIRED",
2279-
"priority" : 1,
2280-
"autheticatorFlow" : false,
2281-
"userSetupAllowed" : false
2258+
"id": "b8c46bfb-cf9e-414a-a773-b17e0fdaa475",
2259+
"alias": "step up level 2",
2260+
"description": "loa 2 with totp",
2261+
"providerId": "basic-flow",
2262+
"topLevel": false,
2263+
"builtIn": false,
2264+
"authenticationExecutions": [
2265+
{
2266+
"authenticatorConfig": "loa level 2",
2267+
"authenticator": "conditional-level-of-authentication",
2268+
"authenticatorFlow": false,
2269+
"requirement": "REQUIRED",
2270+
"priority": 0,
2271+
"autheticatorFlow": false,
2272+
"userSetupAllowed": false
2273+
},
2274+
{
2275+
"authenticator": "auth-otp-form",
2276+
"authenticatorFlow": false,
2277+
"requirement": "REQUIRED",
2278+
"priority": 1,
2279+
"autheticatorFlow": false,
2280+
"userSetupAllowed": false
22822281
}
22832282
]
22842283
},
@@ -2810,19 +2809,19 @@
28102809
}
28112810
},
28122811
{
2813-
"id" : "5b7b9811-6a2d-47ba-8722-7a4a5cb67cc3",
2814-
"alias" : "loa level 2",
2815-
"config" : {
2816-
"loa-condition-level" : "2",
2817-
"loa-max-age" : "36000"
2812+
"id": "5b7b9811-6a2d-47ba-8722-7a4a5cb67cc3",
2813+
"alias": "loa level 2",
2814+
"config": {
2815+
"loa-condition-level": "2",
2816+
"loa-max-age": "36000"
28182817
}
28192818
},
28202819
{
2821-
"id" : "fc6ac583-5601-4c97-a57b-3b044dc4007f",
2822-
"alias" : "loa level 1",
2823-
"config" : {
2824-
"loa-condition-level" : "1",
2825-
"loa-max-age" : "36000"
2820+
"id": "fc6ac583-5601-4c97-a57b-3b044dc4007f",
2821+
"alias": "loa level 1",
2822+
"config": {
2823+
"loa-condition-level": "1",
2824+
"loa-max-age": "36000"
28262825
}
28272826
}
28282827
],
@@ -2921,7 +2920,7 @@
29212920
"parRequestUriLifespan": "60",
29222921
"clientSessionMaxLifespan": "0",
29232922
"organizationsEnabled": "false",
2924-
"acr.loa.map" : "{\"regular\":\"1\",\"advanced\":\"2\"}"
2923+
"acr.loa.map": "{\"regular\":\"1\",\"advanced\":\"2\"}"
29252924
},
29262925
"keycloakVersion": "25.0.0",
29272926
"userManagedAccessAllowed": false,
@@ -2932,4 +2931,4 @@
29322931
"clientPolicies": {
29332932
"policies": []
29342933
}
2935-
}
2934+
}

docs/apis/http/tus_upload.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,6 @@ curl -ks -XPOST https://ocis.test/remote.php/dav/spaces/8d72036d-14a5-490f-889e-
8686
< X-Permitted-Cross-Domain-Policies: none
8787
< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx
8888
< X-Robots-Tag: none
89-
< X-Xss-Protection: 1; mode=block
9089
<
9190
* Connection #0 to host localhost left intact
9291
```
@@ -211,7 +210,6 @@ curl -ks -XPOST https://ocis.test/remote.php/dav/spaces/{space-id} \
211210
< X-Permitted-Cross-Domain-Policies: none
212211
< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx
213212
< X-Robots-Tag: none
214-
< X-Xss-Protection: 1; mode=block
215213
<
216214
* Connection #0 to host localhost left intact
217215
```

docs/ocis/storage/spaces.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,6 @@ The request will fail with `507 Insufficient Storage`:
167167
< X-Frame-Options: SAMEORIGIN
168168
< X-Permitted-Cross-Domain-Policies: none
169169
< X-Robots-Tag: none
170-
< X-Xss-Protection: 1; mode=block
171170
<
172171
* Connection #0 to host localhost left intact
173172
* Closing connection 0

services/invitations/md-sources/example-realm.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1413,7 +1413,6 @@
14131413
"xRobotsTag": "none",
14141414
"xFrameOptions": "SAMEORIGIN",
14151415
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
1416-
"xXSSProtection": "1; mode=block",
14171416
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
14181417
},
14191418
"smtpServer": {
@@ -2745,4 +2744,4 @@
27452744
"clientPolicies": {
27462745
"policies": []
27472746
}
2748-
}
2747+
}

services/proxy/pkg/middleware/security.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,6 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler {
5555
}
5656

5757
secureMiddleware := secure.New(secure.Options{
58-
BrowserXssFilter: true,
5958
ContentSecurityPolicy: cspBuilder.MustBuild(),
6059
ContentTypeNosniff: true,
6160
CustomFrameOptionsValue: "SAMEORIGIN",

tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -223,8 +223,7 @@ Feature: download file
223223
| X-Content-Type-Options | nosniff |
224224
| X-Frame-Options | SAMEORIGIN |
225225
| X-Permitted-Cross-Domain-Policies | none |
226-
| X-Robots-Tag | none |
227-
| X-XSS-Protection | 1; mode=block |
226+
| X-Robots-Tag | none |
228227
And the downloaded content should be "test file"
229228
Examples:
230229
| dav-path-version | file-name | encoded-file-name |
@@ -251,8 +250,7 @@ Feature: download file
251250
| X-Content-Type-Options | nosniff |
252251
| X-Frame-Options | SAMEORIGIN |
253252
| X-Permitted-Cross-Domain-Policies | none |
254-
| X-Robots-Tag | none |
255-
| X-XSS-Protection | 1; mode=block |
253+
| X-Robots-Tag | none |
256254
And the downloaded content should be "test file"
257255
Examples:
258256
| dav-path-version |

tests/config/drone/ocis-ci-realm.dist.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1491,7 +1491,6 @@
14911491
"xRobotsTag": "none",
14921492
"xFrameOptions": "SAMEORIGIN",
14931493
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
1494-
"xXSSProtection": "1; mode=block",
14951494
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
14961495
},
14971496
"smtpServer": {},
@@ -2329,4 +2328,4 @@
23292328
"clientPolicies": {
23302329
"policies": []
23312330
}
2332-
}
2331+
}

0 commit comments

Comments
 (0)