add security access headers for ocdav requests

cs3org · May 28, 2020 · 56b8838 · 56b8838
1 parent a384685
commit 56b8838
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/internal/http/services/owncloud/ocdav/get.go b/internal/http/services/owncloud/ocdav/get.go
@@ -119,6 +119,8 @@ func (s *svc) handleGet(w http.ResponseWriter, r *http.Request, ns string) {
 	}
 
 	w.Header().Set("Content-Type", info.MimeType)
+	w.Header().Set("Content-Disposition", "attachment; filename*=UTF-8''"+
+		path.Base(info.Path)+"; filename=\""+path.Base(info.Path)+"\"")
 	w.Header().Set("ETag", info.Etag)
 	w.Header().Set("OC-FileId", wrapResourceID(info.Id))
 	w.Header().Set("OC-ETag", info.Etag)

diff --git a/internal/http/services/owncloud/ocdav/ocdav.go b/internal/http/services/owncloud/ocdav/ocdav.go
@@ -122,8 +122,7 @@ func (s *svc) Handler() http.Handler {
 		ctx := r.Context()
 		log := appctx.GetLogger(ctx)
 
-		// the webdav api is accessible from anywhere
-		w.Header().Set("Access-Control-Allow-Origin", "*")
+		addAccessHeaders(w, r)
 
 		// TODO(jfd): do we need this?
 		// fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89
@@ -211,3 +210,27 @@ func unwrap(rid string) *provider.ResourceId {
 		OpaqueId:  parts[1],
 	}
 }
+
+func addAccessHeaders(w http.ResponseWriter, r *http.Request) {
+	headers := w.Header()
+	// the webdav api is accessible from anywhere
+	headers.Set("Access-Control-Allow-Origin", "*")
+	// all resources served via the DAV endpoint should have the strictest possible as default
+	headers.Set("Content-Security-Policy", "default-src 'none';")
+	// disable sniffing the content type for IE
+	headers.Set("X-Content-Type-Options", "nosniff")
+	// https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
+	headers.Set("X-Download-Options", "noopen")
+	// Disallow iFraming from other domains
+	headers.Set("X-Frame-Options", "SAMEORIGIN")
+	// https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+	headers.Set("X-Permitted-Cross-Domain-Policies", "none")
+	// https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+	headers.Set("X-Robots-Tag", "none")
+	// enforce browser based XSS filters
+	headers.Set("X-XSS-Protection", "1; mode=block")
+
+	if r.TLS != nil {
+		headers.Set("Strict-Transport-Security", "max-age=63072000")
+	}
+}