test for the presence of x-content-type-options for blob and block

pull/1/head
ansuz 3 years ago
parent 4c53d9b509
commit 9ae4101ea2

@ -74,6 +74,19 @@ define([
var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin); var trimmedUnsafe = trimSlashes(ApiConfig.httpUnsafeOrigin);
var fileHost = ApiConfig.fileHost; var fileHost = ApiConfig.fileHost;
var getAPIPlaceholderPath = function (relative) {
var absolute;
try {
absolute = new URL(relative, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
} catch (err) {
absolute = relative;
}
return absolute;
};
var blobPlaceholderPath = getAPIPlaceholderPath('/blob/placeholder.txt');
var blockPlaceholderPath = getAPIPlaceholderPath('/block/placeholder.txt');
var API_URL; var API_URL;
try { try {
API_URL = new URL(NetConfig.getWebsocketURL(window.location.origin), trimmedUnsafe); API_URL = new URL(NetConfig.getWebsocketURL(window.location.origin), trimmedUnsafe);
@ -1235,15 +1248,10 @@ define([
cb(isValidInfoURL(url) || url); cb(isValidInfoURL(url) || url);
}); });
assert(function (cb, msg) {
var path = '/blob/placeholder.txt';
var fullPath;
try {
fullPath = new URL(path, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
} catch (err) {
fullPath = path;
}
assert(function (cb, msg) {
var fullPath = blobPlaceholderPath;
msg.appendChild(h('span', [ msg.appendChild(h('span', [
"A placeholder file was expected to be available at ", "A placeholder file was expected to be available at ",
code(fullPath), code(fullPath),
@ -1260,14 +1268,7 @@ define([
}); });
assert(function (cb, msg) { assert(function (cb, msg) {
var path = '/block/placeholder.txt'; var fullPath = blockPlaceholderPath;
var fullPath;
try {
fullPath = new URL(path, ApiConfig.fileHost || ApiConfig.httpUnsafeOrigin).href;
} catch (err) {
fullPath = path;
}
msg.appendChild(h('span', [ msg.appendChild(h('span', [
"A placeholder file was expected to be available at ", "A placeholder file was expected to be available at ",
code(fullPath), code(fullPath),
@ -1325,6 +1326,46 @@ define([
cb(!ApiConfig.shouldUpdateNode); cb(!ApiConfig.shouldUpdateNode);
}); });
assert(function (cb, msg) {
var header = 'X-Content-Type-Options';
msg.appendChild(h('span', [
"Content served from the ",
code('/blob/'),
" directory is expected to have a ",
code(header),
" header with a value of ",
code('nosniff'),
'.',
]));
Tools.common_xhr(blobPlaceholderPath, xhr => {
var xcto = xhr.getResponseHeader('x-content-type-options');
cb(xcto === 'nosniff' || {
path: blobPlaceholderPath,
value: xcto,
});
});
});
assert(function (cb, msg) {
var header = 'X-Content-Type-Options';
msg.appendChild(h('span', [
"Content served from the ",
code('/block/'),
" directory is expected to have a ",
code(header),
" header with a value of ",
code('nosniff'),
'.',
]));
Tools.common_xhr(blockPlaceholderPath, xhr => {
var xcto = xhr.getResponseHeader('x-content-type-options');
cb(xcto === 'nosniff' || {
path: blockPlaceholderPath,
value: xcto,
});
});
});
var serverToken; var serverToken;
Tools.common_xhr('/', function (xhr) { Tools.common_xhr('/', function (xhr) {
serverToken = xhr.getResponseHeader('server'); serverToken = xhr.getResponseHeader('server');

Loading…
Cancel
Save