more WIP checkup

3 years ago · cc1137b96b
parent ee92ddb813
commit cc1137b96b
2 changed files with 35 additions and 99 deletions
--- a/server.js
+++ b/server.js
@ -84,12 +84,6 @@ var setHeaders = (function () {
    }
    if (Object.keys(headers).length) {
        return function (req, res) {
-            // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
-            /*
-            applyHeaderMap(res, {
-                "Cross-Origin-Opener-Policy": /^\/(sheet|presentation|doc|convert)\//.test(req.url)? 'same-origin': '',
-            });*/
-
            if (Env.NO_SANDBOX) { // handles correct configuration for local development
            // https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs
                applyHeaderMap(res, {
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -369,7 +369,6 @@ define([
        var expect = {
            'cross-origin-resource-policy': 'cross-origin',
            'cross-origin-embedder-policy': 'require-corp',
-            //'cross-origin-opener-policy': 'same-origin', // FIXME this is in our nginx config but not server.js
        };

        $.ajax(url, {
@ -654,7 +653,7 @@ define([
        ]);
    };

-    assert(function (_cb, msg) {
+    assert(function (_cb, msg) { // FIXME possibly superseded by more advanced CSP tests?
        var url = '/sheet/inner.html';
        var cb = Util.once(Util.mkAsync(_cb));
        msg.appendChild(CSP_WARNING(url));
@ -670,7 +669,7 @@ define([
        });
    });

-    assert(function (cb, msg) {
+    assert(function (cb, msg) { // FIXME possibly superseded by more advanced CSP tests?
        var url = '/common/onlyoffice/v5/web-apps/apps/spreadsheeteditor/main/index.html';
        msg.appendChild(CSP_WARNING(url));
        deferredPostMessage({
@ -803,36 +802,7 @@ define([
        cb(isHTTPS(trimmedUnsafe) && isHTTPS(trimmedSafe));
    });

-    [
-        //'sheet',
-        //'presentation',
-        //'doc',
-        //'convert',
-    ].forEach(function (url) {
-        assert(function (cb, msg) {
-            var header = 'cross-origin-opener-policy';
-            var expected = 'same-origin';
-            deferredPostMessage({
-                command: 'GET_HEADER',
-                content: {
-                    url: '/' + url + '/',
-                    header: header,
-                }
-            }, function (content) {
-                msg.appendChild(h('span', [
-                    code(url),
-                    ' was served without the correct ',
-                    code(header),
-                    ' HTTP header value (',
-                    code(expected),
-                    '). This will interfere with your ability to convert between office file formats.'
-                ]));
-                cb(content === expected);
-            });
-        });
-    });
-
-    assert(function (cb, msg) { // XXX this test has been superceded
+    assert(function (cb, msg) { // FIXME this test has been superceded, but the descriptive text is still useful
        // check that the sandbox domain is included in connect-src
        msg.appendChild(h('span', [
            "This instance's ",
@ -856,42 +826,8 @@ define([
        });
    });

-    assert(function (cb, msg) { // XXX this test has been superceded
-        var directives = [
-            'img-src',
-            'media-src',
-            'child-src',
-            'frame-src'
-        ];
-
-        msg.appendChild(h('span', [
-            "This instance's ",
-            code("Content-Security-Policy"),
-            " headers are unnecessarily permissive.",
-            h('br'),
-            h('br'),
-            " Review the recommended settings for ",
-            code('img-src'), ', ',
-            code('media-src'), ', ',
-            code('child-src'), ', and ',
-            code('frame-src'),
-            " in the provided NGINX configuration file for an example of how to set these headers correctly.",
-        ]));
-        Tools.common_xhr('/', function (xhr) {
-            var CSP = parseCSP(xhr.getResponseHeader('content-security-policy'));
-            // check that the relevant CSP directives are defined
-            // and that none of them permit general remote content via '*'
-            if (directives.every(function (k) {
-                return typeof(CSP[k]) === 'string' && !/ \* /.test(CSP[k]);
-            })) {
-                return void cb(true);
-            }
-            cb(CSP);
-        });
-    });
-
    assert(function (cb, msg) {
-        msg.appendChild(h('span', [ // XXX
+        msg.appendChild(h('span', [
            code('/api/config'),
            " returned an HTTP status code other than ",
            code('200'),
@ -985,8 +921,8 @@ define([
                'child-src': [$outer], //["'self'", 'blob:', $outer, $sandbox],
                'frame-src': ["'self'", 'blob:', /*$outer, */$sandbox],
                'script-src': ["'self'", 'resource:', $outer,
-                    "'unsafe-eval'", // XXX sloppy onlyoffice BS
-                    "'unsafe-inline'", // XXX sloppy onlyoffice BS
+                    "'unsafe-eval'",
+                    "'unsafe-inline'",
                ],
                'connect-src': [
                    "'self'",
@ -994,7 +930,6 @@ define([
                    $outer,
                    $sandbox,
                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
-                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
                ],

                'img-src': ["'self'", 'data:', 'blob:', $outer],
@ -1031,8 +966,6 @@ define([
                    $outer,
                    $sandbox,
                    /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
-                    ///https:/.test($outer)? '': 'ws:', // XXX warn about ws: unless the origin is unencrypted
-                    //'wss:', // XXX always accept wss: ???
                ],
                'img-src': ["'self'", 'data:', 'blob:', $outer],
                'media-src': ['blob:'],
@ -1045,46 +978,62 @@ define([
    });

    assert(function (cb, msg) {
-        var header = 'access-control-allow-origin';
+        var header = 'Access-Control-Allow-Origin';
        msg.appendChild(h('span', [
-            header,
+            'Assets must be served with an ',
+            code(header),
+            ' header with a value of ',
+            code("'*'"),
+            ' if you wish to support embedding of encrypted media on third party websites.',
        ]));
        Tools.common_xhr('/', function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(raw === "*" || raw); // XXX
+            cb(raw === "*" || raw);
        });
    });

    assert(function (cb, msg) {
-        var header = 'cross-origin-embedder-policy';
+        var header = 'Cross-Origin-Embedder-Policy';
        msg.appendChild(h('span', [
-            header,
+            "Assets must be served with a ",
+            code(header),
+            ' value of ',
+            code('require-corp'),
+            " to enable browser features required for client-side document conversion.",
        ]));
        Tools.common_xhr('/', function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(raw === 'require-corp' || raw); // XXX
+            cb(raw === 'require-corp' || raw);
        });
    });

    assert(function (cb, msg) {
-        var header = 'cross-origin-resource-policy';
+        var header = 'Cross-Origin-Resource-Policy';
        msg.appendChild(h('span', [
-            header,
+            "Assets must be served with a ",
+            code(header),
+            ' value of ',
+            code('cross-origin'),
+            " to enable browser features required for client-side document conversion.",
        ]));
        Tools.common_xhr('/', function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(raw === 'cross-origin' || raw); // XXX
+            cb(raw === 'cross-origin' || raw);
        });
    });

    assert(function (cb, msg) {
        var header = 'X-Content-Type-Options';
        msg.appendChild(h('span', [
-            header,
+            "Assets should be served with an ",
+            code(header),
+            ' header with a value of ',
+            code('nosniff'),
+            '.',
        ]));
        Tools.common_xhr('/', function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(raw === 'nosniff' || raw); // XXX
+            cb(raw === 'nosniff' || raw);
        });
    });

@ -1100,7 +1049,7 @@ define([
        // Cache-Control should be 'no-cache' unless the URL includes ver=
        Tools.common_xhr('/', function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(raw === 'no-cache' || raw); // XXX
+            cb(raw === 'no-cache' || raw);
        });
    });

@ -1114,7 +1063,7 @@ define([
        // Cache-Control should be 'max-age=<number>' if the URL includes 'ver='
        Tools.common_xhr('/customize/messages.js?ver=' +(+new Date()), function (xhr) {
            var raw = xhr.getResponseHeader(header);
-            cb(/max\-age=\d+$/.test(raw) || raw); // XXX
+            cb(/max\-age=\d+$/.test(raw) || raw);
        });
    });

@ -1167,13 +1116,6 @@ define([
    });
 */

-    if (false) {
-        assert(function (cb, msg) {
-            msg.innerText = 'fake test to simulate failure';
-            cb(false);
-        });
-    }
-
    var row = function (cells) {
        return h('tr', cells.map(function (cell) {
            return h('td', cell);