Fix: Treat XML like HTML and allow CSP headers for scripts

sarvaje · antross · commit fbb8ff368ef0 · 2019-06-21T17:11:18.000-05:00
Fix #2349 Fix #2342 Close #2618
diff --git a/packages/hint-no-html-only-headers/README.md b/packages/hint-no-html-only-headers/README.md
@@ -1,7 +1,7 @@
 # Unneeded HTTP headers (`no-html-only-headers`)
 
 `no-html-only-headers` warns against responding with HTTP headers that
-are not needed for non-HTML resources.
+are not needed for non-HTML (or non-XML) resources.
 
 ## Why is this important?
 
@@ -16,11 +16,14 @@ HTTP headers:
 
 * `Content-Security-Policy`
 * `X-Content-Security-Policy`
-* `X-Frame-Options`
 * `X-UA-Compatible`
 * `X-WebKit-CSP`
 * `X-XSS-Protection`
 
+In case of a JavaScript file, `Content-Security-Policy` and
+`X-Content-Security-Policy` will be ignored since CSP is
+also relevant to workers.
+
 ### Examples that **trigger** the hint
 
 Response for `/test.js`:
@@ -30,9 +33,6 @@ HTTP/... 200 OK
 
 Content-Type: text/javascript; charset=utf-8
 ...
-Content-Security-Policy: default-src 'none'
-X-Content-Security-Policy: default-src 'none'
-X-Frame-Options: DENY
 X-UA-Compatible: IE=Edge,
 X-WebKit-CSP: default-src 'none'
 X-XSS-Protection: 1; mode=block
@@ -48,7 +48,6 @@ Content-Type: x/y
 ...
 Content-Security-Policy: default-src 'none'
 X-Content-Security-Policy: default-src 'none'
-X-Frame-Options: DENY
 X-UA-Compatible: IE=Edge,
 X-WebKit-CSP: default-src 'none'
 X-XSS-Protection: 1; mode=block
@@ -63,6 +62,8 @@ Response for `/test.js`:
 HTTP/... 200 OK
 
 Content-Type: text/javascript; charset=utf-8
+Content-Security-Policy: default-src 'none'
+X-Content-Security-Policy: default-src 'none'
 ...
 ```
 
@@ -75,7 +76,21 @@ Content-Type: text/html
 ...
 Content-Security-Policy: default-src 'none'
 X-Content-Security-Policy: default-src 'none'
-X-Frame-Options: DENY
+X-UA-Compatible: IE=Edge,
+X-WebKit-CSP: default-src 'none'
+X-XSS-Protection: 1; mode=block
+...
+```
+
+Response for `/test.xml`:
+
+```text
+HTTP/... 200 OK
+
+Content-Type: application/xhtml+xml
+...
+Content-Security-Policy: default-src 'none'
+X-Content-Security-Policy: default-src 'none'
 X-UA-Compatible: IE=Edge,
 X-WebKit-CSP: default-src 'none'
 X-XSS-Protection: 1; mode=block
@@ -98,13 +113,15 @@ you can do something such as the following:
     # Because `mod_headers` cannot match based on the content-type,
     # the following workaround needs to be used.
 
-    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
+    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
+        Header unset X-UA-Compatible
+        Header unset X-XSS-Protection
+    </FilesMatch>
+
+    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|png|rdf|rss|safariextz|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
         Header unset Content-Security-Policy
         Header unset X-Content-Security-Policy
-        Header unset X-Frame-Options
-        Header unset X-UA-Compatible
         Header unset X-WebKit-CSP
-        Header unset X-XSS-Protection
     </FilesMatch>
 </IfModule>
 ```
@@ -143,21 +160,14 @@ any resource whose `Content-Type` header isn't `text/html`:
                  <rule name="Content-Security-Policy">
                     <match serverVariable="RESPONSE_Content_Security_Policy" pattern=".*" />
                     <conditions>
-                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" negate="true" />
+                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/xml|application/xhtml+xml|text/javascript|application/pdf|image/svg+xml)" negate="true" />
                     </conditions>
                     <action type="Rewrite" value=""/>
                 </rule>
                 <rule name="X-Content-Security-Policy">
                     <match serverVariable="RESPONSE_X_Content_Security_Policy" pattern=".*" />
                     <conditions>
-                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" negate="true" />
-                    </conditions>
-                    <action type="Rewrite" value=""/>
-                </rule>
-                <rule name="X-Frame-Options">
-                    <match serverVariable="RESPONSE_X_Frame_Options" pattern=".*" />
-                    <conditions>
-                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" negate="true" />
+                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/xml|application/xhtml+xml|text/javascript|application/pdf|image/svg+xml)" negate="true" />
                     </conditions>
                     <action type="Rewrite" value=""/>
                 </rule>
@@ -171,7 +181,7 @@ any resource whose `Content-Type` header isn't `text/html`:
                 <rule name="X-WebKit-CSP">
                     <match serverVariable="RESPONSE_X_Webkit_csp" pattern=".*" />
                     <conditions>
-                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" negate="true" />
+                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/xml|application/xhtml+xml|text/javascript|application/pdf|image/svg+xml)" negate="true" />
                     </conditions>
                     <action type="Rewrite" value=""/>
                 </rule>
diff --git a/packages/hint-no-html-only-headers/src/hint.ts b/packages/hint-no-html-only-headers/src/hint.ts
@@ -33,16 +33,29 @@ export default class NoHtmlOnlyHeadersHint implements IHint {
 
     public constructor(context: HintContext) {
 
-        let unneededHeaders: string[] = [
+        let unneededHeaders = [
             'content-security-policy',
             'feature-policy',
             'x-content-security-policy',
-            'x-frame-options',
             'x-ua-compatible',
             'x-webkit-csp',
             'x-xss-protection'
         ];
 
+        // TODO: Remove once https://github.com/webhintio/hint/issues/25 is implemented.
+        const exceptionHeaders = [
+            'content-security-policy',
+            'x-content-security-policy',
+            'x-webkit-csp'
+        ];
+
+        // TODO: Remove once https://github.com/webhintio/hint/issues/25 is implemented.
+        const exceptionMediaTypes = [
+            'application/pdf',
+            'image/svg+xml',
+            'text/javascript'
+        ];
+
         const loadHintConfigs = () => {
             const includeHeaders = (context.hintOptions && context.hintOptions.include) || [];
             const ignoreHeaders = (context.hintOptions && context.hintOptions.ignore) || [];
@@ -51,8 +64,8 @@ export default class NoHtmlOnlyHeadersHint implements IHint {
         };
 
         const willBeTreatedAsHTML = (response: Response): boolean => {
-            const contentTypeHeader: string | undefined = response.headers['content-type'];
-            const mediaType: string = contentTypeHeader ? contentTypeHeader.split(';')[0].trim() : '';
+            const contentTypeHeader = response.headers['content-type'];
+            const mediaType = contentTypeHeader ? contentTypeHeader.split(';')[0].trim() : '';
 
             /*
              * By default, browsers will treat resource sent with the
@@ -61,6 +74,7 @@ export default class NoHtmlOnlyHeadersHint implements IHint {
 
             if ([
                 'text/html',
+                'text/xml',
                 'application/xhtml+xml'
             ].includes(mediaType)) {
                 return true;
@@ -101,8 +115,13 @@ export default class NoHtmlOnlyHeadersHint implements IHint {
             }
 
             if (!willBeTreatedAsHTML(response)) {
-                const headers: string[] = includedHeaders(response.headers, unneededHeaders);
-                const numberOfHeaders: number = headers.length;
+                let headersToValidate = unneededHeaders;
+
+                if (exceptionMediaTypes.includes(response.mediaType)) {
+                    headersToValidate = mergeIgnoreIncludeArrays(headersToValidate, exceptionHeaders, []);
+                }
+                const headers = includedHeaders(response.headers, headersToValidate);
+                const numberOfHeaders = headers.length;
 
                 if (numberOfHeaders > 0) {
                     const message = `Response should not include unneeded ${prettyPrintArray(headers)} ${numberOfHeaders === 1 ? 'header' : 'headers'}.`;
diff --git a/packages/hint-no-html-only-headers/tests/tests.ts b/packages/hint-no-html-only-headers/tests/tests.ts
@@ -15,49 +15,95 @@ const testsForDefaults: HintTest[] = [
         name: `Non HTML resource is served without unneeded headers`,
         serverConfig: {
             '/': {
-                content: htmlPage,
+                content: generateHTMLPage(undefined, '<img src="test.svg"/><script src="test.js"></script><embed src="test.pdf" type="application/pdf">'),
                 headers: {
+                    'Content-Security-Policy': 'default-src "none"',
                     'Content-Type': 'text/html; charset=utf-8',
-                    'X-Frame-Options': 'SAMEORIGIN'
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
+                }
+            },
+            '/test.js': {
+                headers: {
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'application/javascript; charset=utf-8',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
+                }
+            },
+            '/test.pdf': {
+                headers: {
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'application/pdf',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
                 }
             },
-            '/test.js': { headers: { 'Content-Type': 'application/javascript; charset=utf-8' } }
+            '/test.svg': {
+                headers: {
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'image/svg+xml',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
+                }
+            }
         }
     },
     {
-        name: `Non HTML resource is specified as a data URI`,
-        serverConfig: { '/': generateHTMLPage(undefined, '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==">') }
+        name: `Non HTML resource is served without unneeded headers and with application/xhtml+xml content type`,
+        serverConfig: {
+            '/': {
+                content: generateHTMLPage(undefined, '<script src="test.js"></script>'),
+                headers: {
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'application/xhtml+xml; charset=utf-8',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
+                }
+            },
+            '/test.js': {
+                headers: {
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'application/javascript; charset=utf-8',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
+                }
+            }
+        }
     },
     {
-        name: `Non HTML resource is served with unneeded header`,
-        reports: [{ message: generateMessage(['content-security-policy']) }],
+        name: `Non HTML resource is served without unneeded headers and with text/xml content type`,
         serverConfig: {
             '/': {
-                content: htmlPage,
+                content: generateHTMLPage(undefined, '<script src="test.js"></script>'),
                 headers: {
-                    'Content-Type': 'text/html; charset=utf-8',
-                    'X-Frame-Options': 'SAMEORIGIN'
+                    'Content-Security-Policy': 'default-src "none"',
+                    'Content-Type': 'text/xml; charset=utf-8',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
                 }
             },
             '/test.js': {
                 headers: {
                     'Content-Security-Policy': 'default-src "none"',
-                    'Content-Type': 'application/javascript; charset=utf-8'
+                    'Content-Type': 'application/javascript; charset=utf-8',
+                    'X-Content-Security-Policy': 'default-src "none"',
+                    'X-WebKit-CSP': 'default-src "none"'
                 }
             }
         }
     },
+    {
+        name: `Non HTML resource is specified as a data URI`,
+        serverConfig: { '/': generateHTMLPage(undefined, '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==">') }
+    },
     {
         name: `Non HTML resource is served with multiple unneeded headers`,
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'feature-policy',
-                    'x-content-security-policy',
-                    'x-frame-options',
                     'x-ua-compatible',
-                    'x-webkit-csp',
                     'x-xss-protection'
                 ])
             }
@@ -68,7 +114,6 @@ const testsForDefaults: HintTest[] = [
                 headers: {
                     'Content-Type': 'text/html; charset=utf-8',
                     'X-Content-Security-Policy': 'default-src "none"',
-                    'X-Frame-Options': 'DENY',
                     'X-UA-Compatible': 'IE=Edge',
                     'X-WebKit-CSP': 'default-src "none"',
                     'X-XSS-Protection': '1; mode=block'
@@ -80,7 +125,6 @@ const testsForDefaults: HintTest[] = [
                     'Content-Type': 'application/javascript; charset=utf-8',
                     'Feature-Policy': `geolocation 'self'`,
                     'X-Content-Security-Policy': 'default-src "none"',
-                    'X-Frame-Options': 'DENY',
                     'X-UA-Compatible': 'IE=Edge',
                     'X-WebKit-CSP': 'default-src "none"',
                     'X-XSS-Protection': '1; mode=block'
@@ -138,7 +182,6 @@ const testsForIgnoreConfigs: HintTest[] = [
                 headers: {
                     'Content-Type': 'text/html; charset=utf-8',
                     'Feature-Policy': `geolocation 'self'`,
-                    'X-Frame-Options': 'SAMEORIGIN',
                     'X-UA-Compatible': 'IE=Edge'
                 }
             },
@@ -159,7 +202,6 @@ const testsForIncludeConfigs: HintTest[] = [
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'x-test-1',
                     'x-ua-compatible'
                 ])
@@ -170,7 +212,6 @@ const testsForIncludeConfigs: HintTest[] = [
                 content: htmlPage,
                 headers: {
                     'Content-Type': 'text/html; charset=utf-8',
-                    'X-Frame-Options': 'SAMEORIGIN',
                     'X-Test-1': 'test',
                     'X-Test-2': 'test'
                 }
@@ -193,7 +234,6 @@ const testsForConfigs: HintTest[] = [
         reports: [
             {
                 message: generateMessage([
-                    'content-security-policy',
                     'x-test-1',
                     'x-ua-compatible'
                 ])
@@ -204,7 +244,6 @@ const testsForConfigs: HintTest[] = [
                 content: htmlPage,
                 headers: {
                     'Content-Type': 'text/html; charset=utf-8',
-                    'X-Frame-Options': 'SAMEORIGIN',
                     'X-Test-1': 'test',
                     'X-Test-2': 'test'
                 }
@@ -223,11 +262,11 @@ const testsForConfigs: HintTest[] = [
 ];
 
 testHint(hintPath, testsForDefaults);
-testHint(hintPath, testsForIgnoreConfigs, { hintOptions: { ignore: ['Content-Security-Policy', 'X-UA-Compatible', 'X-Test-1'] } });
-testHint(hintPath, testsForIncludeConfigs, { hintOptions: { include: ['Content-Security-Policy', 'X-Test-1', 'X-Test-2'] } });
+testHint(hintPath, testsForIgnoreConfigs, { hintOptions: { ignore: ['X-UA-Compatible', 'X-Test-1'] } });
+testHint(hintPath, testsForIncludeConfigs, { hintOptions: { include: ['X-Test-1', 'X-Test-2'] } });
 testHint(hintPath, testsForConfigs, {
     hintOptions: {
-        ignore: ['X-Frame-Options', 'X-Test-2', 'X-Test-3'],
+        ignore: ['X-Test-2', 'X-Test-3'],
         include: ['X-Test-1', 'X-Test-2', 'X-UA-Compatible']
     }
 });
