mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Merge pull request #10966 from overleaf/td-add-coop-header
Upgrade Helmet to add some security-related response headers, including COOP GitOrigin-RevId: fce8538b004f7b3ba6c6ca65ad311957d75b496a
This commit is contained in:
parent
b11cb7d1e9
commit
9ab12f3b44
4 changed files with 48 additions and 21 deletions
17
package-lock.json
generated
17
package-lock.json
generated
|
@ -35741,7 +35741,7 @@
|
|||
"fuse.js": "^3.0.0",
|
||||
"globby": "^5.0.0",
|
||||
"handlebars": "^4.7.7",
|
||||
"helmet": "^3.22.0",
|
||||
"helmet": "^6.0.1",
|
||||
"http-proxy": "^1.18.1",
|
||||
"i18next": "^19.6.3",
|
||||
"i18next-fs-backend": "^1.0.7",
|
||||
|
@ -37189,6 +37189,14 @@
|
|||
"node": ">=12.0.0"
|
||||
}
|
||||
},
|
||||
"services/web/node_modules/helmet": {
|
||||
"version": "6.0.1",
|
||||
"resolved": "https://registry.npmjs.org/helmet/-/helmet-6.0.1.tgz",
|
||||
"integrity": "sha512-8wo+VdQhTMVBMCITYZaGTbE4lvlthelPYSvoyNvk4RECTmrVjMerp9RfUOQXZWLvCcAn1pKj7ZRxK4lI9Alrcw==",
|
||||
"engines": {
|
||||
"node": ">=14.0.0"
|
||||
}
|
||||
},
|
||||
"services/web/node_modules/http-errors": {
|
||||
"version": "1.7.2",
|
||||
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
|
||||
|
@ -46214,7 +46222,7 @@
|
|||
"globby": "^5.0.0",
|
||||
"handlebars": "^4.7.7",
|
||||
"handlebars-loader": "^1.7.1",
|
||||
"helmet": "^3.22.0",
|
||||
"helmet": "^6.0.1",
|
||||
"html-webpack-plugin": "^5.5.0",
|
||||
"http-proxy": "^1.18.1",
|
||||
"i18next": "^19.6.3",
|
||||
|
@ -47262,6 +47270,11 @@
|
|||
"jws": "^4.0.0"
|
||||
}
|
||||
},
|
||||
"helmet": {
|
||||
"version": "6.0.1",
|
||||
"resolved": "https://registry.npmjs.org/helmet/-/helmet-6.0.1.tgz",
|
||||
"integrity": "sha512-8wo+VdQhTMVBMCITYZaGTbE4lvlthelPYSvoyNvk4RECTmrVjMerp9RfUOQXZWLvCcAn1pKj7ZRxK4lI9Alrcw=="
|
||||
},
|
||||
"http-errors": {
|
||||
"version": "1.7.2",
|
||||
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
|
||||
|
|
|
@ -269,6 +269,14 @@ webRouter.use(
|
|||
dnsPrefetchControl: false,
|
||||
referrerPolicy: { policy: 'origin-when-cross-origin' },
|
||||
hsts: false,
|
||||
// Disabled because it's impractical to include every resource via CORS or
|
||||
// with the magic CORP header
|
||||
crossOriginEmbedderPolicy: false,
|
||||
// Disabled because it's not a security header and has possibly-unwanted
|
||||
// effects
|
||||
originAgentCluster: false,
|
||||
// We have custom handling for CSP below, so Helmet's default is disabled
|
||||
contentSecurityPolicy: false,
|
||||
})
|
||||
)
|
||||
|
||||
|
|
|
@ -164,7 +164,7 @@
|
|||
"fuse.js": "^3.0.0",
|
||||
"globby": "^5.0.0",
|
||||
"handlebars": "^4.7.7",
|
||||
"helmet": "^3.22.0",
|
||||
"helmet": "^6.0.1",
|
||||
"http-proxy": "^1.18.1",
|
||||
"i18next": "^19.6.3",
|
||||
"i18next-fs-backend": "^1.0.7",
|
||||
|
|
|
@ -19,32 +19,38 @@ const request = require('./helpers/request')
|
|||
|
||||
const assert_has_common_headers = function (response) {
|
||||
const { headers } = response
|
||||
assert.equal(headers['x-download-options'], 'noopen')
|
||||
assert.equal(headers['x-xss-protection'], '1; mode=block')
|
||||
return assert.equal(headers['referrer-policy'], 'origin-when-cross-origin')
|
||||
assert.include(headers, {
|
||||
'x-download-options': 'noopen',
|
||||
'x-xss-protection': '0',
|
||||
'cross-origin-resource-policy': 'same-origin',
|
||||
'cross-origin-opener-policy': 'same-origin',
|
||||
'x-content-type-options': 'nosniff',
|
||||
'x-permitted-cross-domain-policies': 'none',
|
||||
'referrer-policy': 'origin-when-cross-origin',
|
||||
})
|
||||
assert.isUndefined(headers['cross-origin-embedder-policy'])
|
||||
}
|
||||
|
||||
const assert_has_cache_headers = function (response) {
|
||||
const { headers } = response
|
||||
assert.equal(headers['surrogate-control'], 'no-store')
|
||||
assert.equal(
|
||||
headers['cache-control'],
|
||||
'no-store, no-cache, must-revalidate, proxy-revalidate'
|
||||
)
|
||||
assert.equal(headers.pragma, 'no-cache')
|
||||
return assert.equal(headers.expires, '0')
|
||||
assert.include(response.headers, {
|
||||
'surrogate-control': 'no-store',
|
||||
'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
|
||||
pragma: 'no-cache',
|
||||
expires: '0',
|
||||
})
|
||||
}
|
||||
|
||||
const assert_has_no_cache_headers = function (response) {
|
||||
const { headers } = response
|
||||
assert.isUndefined(headers['surrogate-control'])
|
||||
assert.isUndefined(headers['cache-control'])
|
||||
assert.isUndefined(headers.pragma)
|
||||
return assert.isUndefined(headers.expires)
|
||||
assert.doesNotHaveAnyKeys(response.headers, [
|
||||
'surrogate-control',
|
||||
'cache-control',
|
||||
'pragma',
|
||||
'expires',
|
||||
])
|
||||
}
|
||||
|
||||
const assert_has_asset_caching_headers = function (response) {
|
||||
const { headers } = response
|
||||
assert.equal(headers['cache-control'], 'public, max-age=31536000')
|
||||
assert.equal(response.headers['cache-control'], 'public, max-age=31536000')
|
||||
}
|
||||
|
||||
describe('SecurityHeaders', function () {
|
||||
|
|
Loading…
Reference in a new issue