From 9ae4101ea22f1e6e7bedfafbc0f174381db1e66a Mon Sep 17 00:00:00 2001
From: ansuz <git@ansuz.xyz>
Date: Wed, 23 Mar 2022 13:35:17 +0530
Subject: [PATCH] test for the presence of x-content-type-options for blob and
 block

---
 www/checkup/main.js | 73 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 57 insertions(+), 16 deletions(-)

diff --git a/www/checkup/main.js b/www/checkup/main.js
index 204c9082e..1f3ea8e3f 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -74,6 +74,19 @@ define([
     var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
     var fileHost = ApiConfig.fileHost;
 
+    var getAPIPlaceholderPath = function (relative) {
+        var absolute;
+        try {
+            absolute = new URL(relative, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
+        } catch (err) {
+            absolute = relative;
+        }
+        return absolute;
+    };
+
+    var blobPlaceholderPath = getAPIPlaceholderPath('/blob/placeholder.txt');
+    var blockPlaceholderPath = getAPIPlaceholderPath('/block/placeholder.txt');
+
     var API_URL;
     try {
         API_URL = new URL(NetConfig.getWebsocketURL(window.location.origin), trimmedUnsafe);
@@ -1235,15 +1248,10 @@ define([
         cb(isValidInfoURL(url) || url);
     });
 
-    assert(function (cb, msg) {
-        var path = '/blob/placeholder.txt';
-        var fullPath;
-        try {
-            fullPath = new URL(path, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
-        } catch (err) {
-            fullPath = path;
-        }
 
+
+    assert(function (cb, msg) {
+        var fullPath = blobPlaceholderPath;
         msg.appendChild(h('span', [
             "A placeholder file was expected to be available at ",
             code(fullPath),
@@ -1260,14 +1268,7 @@ define([
     });
 
     assert(function (cb, msg) {
-        var path = '/block/placeholder.txt';
-        var fullPath;
-        try {
-            fullPath = new URL(path, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
-        } catch (err) {
-            fullPath = path;
-        }
-
+        var fullPath = blockPlaceholderPath;
         msg.appendChild(h('span', [
             "A placeholder file was expected to be available at ",
             code(fullPath),
@@ -1325,6 +1326,46 @@ define([
         cb(!ApiConfig.shouldUpdateNode);
     });
 
+    assert(function (cb, msg) {
+        var header = 'X-Content-Type-Options';
+        msg.appendChild(h('span', [
+            "Content served from the ",
+            code('/blob/'),
+            " directory is expected to have a ",
+            code(header),
+            " header with a value of ",
+            code('nosniff'),
+            '.',
+        ]));
+        Tools.common_xhr(blobPlaceholderPath, xhr => {
+            var xcto = xhr.getResponseHeader('x-content-type-options');
+            cb(xcto === 'nosniff' || {
+                path: blobPlaceholderPath,
+                value: xcto,
+            });
+        });
+    });
+
+    assert(function (cb, msg) {
+        var header = 'X-Content-Type-Options';
+        msg.appendChild(h('span', [
+            "Content served from the ",
+            code('/block/'),
+            " directory is expected to have a ",
+            code(header),
+            " header with a value of ",
+            code('nosniff'),
+            '.',
+        ]));
+        Tools.common_xhr(blockPlaceholderPath, xhr => {
+            var xcto = xhr.getResponseHeader('x-content-type-options');
+            cb(xcto === 'nosniff' || {
+                path: blockPlaceholderPath,
+                value: xcto,
+            });
+        });
+    });
+
     var serverToken;
     Tools.common_xhr('/', function (xhr) {
         serverToken = xhr.getResponseHeader('server');