Open sevmonster opened 1 year ago
Similar issue with the XSS-Protection Header. The security overview says that the "X-XSS-Protection" header does not contain "1; mode=block" because I have disabled it as recommended by Hardenize and Mozilla, as seen in the first commit of this PR: https://github.com/nextcloud/documentation/pull/9188.
⚠️ This issue respects the following points: ⚠️
Bug description
X-Frame-Options
has been obsoleted byContent-Security-Policy
'sframe-ancestors
directive and the security check should pass if either are present, instead of just checkingX-Frame-Options
. Documentation and the server scanner may also need to be updated if this change is made.Steps to reproduce
Content-Security-Policy: frame-ancestors 'self' https://somesite.com
X-Frame-Options
Expected behavior
Only show warning if both
X-Frame-Options
andContent-Security-Policy
are missing, potentially encourage users to include CSPframe-ancestors
instead of/and replaceSAMEORIGIN
.Installation method
No response
Operating system
No response
PHP engine version
No response
Web server
No response
Database engine version
No response
Is this bug present after an update or on a fresh install?
No response
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
Configuration report
No response
List of activated Apps
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response