Home Explore Help
Sign In
RISCI_ATOM
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Files Issues 23 Wiki
Tree: 681498a050
Branches Tags
nextcloud-serve...
/
core
/
js
/
tests
/
specs
/
setupchecksSpec.js

setupchecksSpec.js 32 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926 
  1. /**
    2. 

  2.  * Copyright (c) 2015 Lukas Reschke <lukas@owncloud.com>
    3. 

  3.  *
    4. 

  4.  * This file is licensed under the Affero General Public License version 3
    5. 

  5.  * or later.
    6. 

  6.  *
    7. 

  7.  * See the COPYING-README file.
    8. 

  8.  *
    9. 

  9.  */
    10. 

  10. 

  11. describe('OC.SetupChecks tests', function() {
    12. 

  12. 	var suite = this;
    13. 

  13. 	var protocolStub;
    14. 

  14. 

  15. 	beforeEach( function(){
    16. 

  16. 		protocolStub = sinon.stub(OC, 'getProtocol');
    17. 

  17. 		suite.server = sinon.fakeServer.create();
    18. 

  18. 	});
    19. 

  19. 

  20. 	afterEach( function(){
    21. 

  21. 		suite.server.restore();
    22. 

  22. 		protocolStub.restore();
    23. 

  23. 	});
    24. 

  24. 

  25. 	describe('checkWebDAV', function() {
    26. 

  26. 		it('should fail with another response status code than 201 or 207', function(done) {
    27. 

  27. 			var async = OC.SetupChecks.checkWebDAV();
    28. 

  28. 

  29. 			suite.server.requests[0].respond(200);
    30. 

  30. 

  31. 			async.done(function( data, s, x ){
    32. 

  32. 				expect(data).toEqual([{
    33. 

  33. 					msg: 'Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.',
    34. 

  34. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    35. 

  35. 				}]);
    36. 

  36. 				done();
    37. 

  37. 			});
    38. 

  38. 		});
    39. 

  39. 

  40. 		it('should return no error with a response status code of 207', function(done) {
    41. 

  41. 			var async = OC.SetupChecks.checkWebDAV();
    42. 

  42. 

  43. 			suite.server.requests[0].respond(207);
    44. 

  44. 

  45. 			async.done(function( data, s, x ){
    46. 

  46. 				expect(data).toEqual([]);
    47. 

  47. 				done();
    48. 

  48. 			});
    49. 

  49. 		});
    50. 

  50. 

  51. 		it('should return no error with a response status code of 401', function(done) {
    52. 

  52. 			var async = OC.SetupChecks.checkWebDAV();
    53. 

  53. 

  54. 			suite.server.requests[0].respond(401);
    55. 

  55. 

  56. 			async.done(function( data, s, x ){
    57. 

  57. 				expect(data).toEqual([]);
    58. 

  58. 				done();
    59. 

  59. 			});
    60. 

  60. 		});
    61. 

  61. 	});
    62. 

  62. 

  63. 	describe('checkSetup', function() {
    64. 

  64. 		it('should return an error if server has no internet connection', function(done) {
    65. 

  65. 			var async = OC.SetupChecks.checkSetup();
    66. 

  66. 

  67. 			suite.server.requests[0].respond(
    68. 

  68. 				200,
    69. 

  69. 				{
    70. 

  70. 					'Content-Type': 'application/json'
    71. 

  71. 				},
    72. 

  72. 				JSON.stringify({
    73. 

  73. 					generic: {
    74. 

  74. 						network: {
    75. 

  75. 							"Internet connectivity": {
    76. 

  76. 								severity: "warning",
    77. 

  77. 								description: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    78. 

  78. 								linkToDoc: null
    79. 

  79. 							}
    80. 

  80. 						},
    81. 

  81. 					},
    82. 

  82. 				})
    83. 

  83. 			);
    84. 

  84. 

  85. 			async.done(function( data, s, x ){
    86. 

  86. 				expect(data).toEqual([
    87. 

  87. 					{
    88. 

  88. 						msg: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    89. 

  89. 						type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    90. 

  90. 					},
    91. 

  91. 				]);
    92. 

  92. 				done();
    93. 

  93. 			});
    94. 

  94. 		});
    95. 

  95. 

  96. 		it('should return an error if server has no internet connection and data directory is not protected', function(done) {
    97. 

  97. 			var async = OC.SetupChecks.checkSetup();
    98. 

  98. 

  99. 			suite.server.requests[0].respond(
    100. 

  100. 				200,
    101. 

  101. 				{
    102. 

  102. 					'Content-Type': 'application/json'
    103. 

  103. 				},
    104. 

  104. 				JSON.stringify({
    105. 

  105. 					generic: {
    106. 

  106. 						network: {
    107. 

  107. 							"Internet connectivity": {
    108. 

  108. 								severity: "warning",
    109. 

  109. 								description: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    110. 

  110. 								linkToDoc: null
    111. 

  111. 							}
    112. 

  112. 						},
    113. 

  113. 					},
    114. 

  114. 				})
    115. 

  115. 			);
    116. 

  116. 

  117. 			async.done(function( data, s, x ){
    118. 

  118. 				expect(data).toEqual([
    119. 

  119. 					{
    120. 

  120. 						msg: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    121. 

  121. 						type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    122. 

  122. 					},
    123. 

  123. 				]);
    124. 

  124. 				done();
    125. 

  125. 			});
    126. 

  126. 		});
    127. 

  127. 

  128. 		it('should return an error if server has no internet connection and data directory is not protected and memcache is available', function(done) {
    129. 

  129. 			var async = OC.SetupChecks.checkSetup();
    130. 

  130. 

  131. 			suite.server.requests[0].respond(
    132. 

  132. 				200,
    133. 

  133. 				{
    134. 

  134. 					'Content-Type': 'application/json',
    135. 

  135. 				},
    136. 

  136. 				JSON.stringify({
    137. 

  137. 					generic: {
    138. 

  138. 						network: {
    139. 

  139. 							"Internet connectivity": {
    140. 

  140. 								severity: "warning",
    141. 

  141. 								description: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    142. 

  142. 								linkToDoc: null
    143. 

  143. 							}
    144. 

  144. 						},
    145. 

  145. 					},
    146. 

  146. 				})
    147. 

  147. 			);
    148. 

  148. 

  149. 			async.done(function( data, s, x ){
    150. 

  150. 				expect(data).toEqual([
    151. 

  151. 				{
    152. 

  152. 					msg: 'This server has no working internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the internet to enjoy all features.',
    153. 

  153. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    154. 

  154. 				}
    155. 

  155. 				]);
    156. 

  156. 				done();
    157. 

  157. 			});
    158. 

  158. 		});
    159. 

  159. 

  160. 		it('should return a warning if the memory limit is below the recommended value', function(done) {
    161. 

  161. 			var async = OC.SetupChecks.checkSetup();
    162. 

  162. 

  163. 			suite.server.requests[0].respond(
    164. 

  164. 				200,
    165. 

  165. 				{
    166. 

  166. 					'Content-Type': 'application/json',
    167. 

  167. 				},
    168. 

  168. 				JSON.stringify({
    169. 

  169. 					generic: {
    170. 

  170. 						network: {
    171. 

  171. 							"Internet connectivity": {
    172. 

  172. 								severity: "success",
    173. 

  173. 								description: null,
    174. 

  174. 								linkToDoc: null
    175. 

  175. 							}
    176. 

  176. 						},
    177. 

  177. 						php: {
    178. 

  178. 							"Internet connectivity": {
    179. 

  179. 								severity: "success",
    180. 

  180. 								description: null,
    181. 

  181. 								linkToDoc: null
    182. 

  182. 							},
    183. 

  183. 							"PHP memory limit": {
    184. 

  184. 								severity: "error",
    185. 

  185. 								description: "The PHP memory limit is below the recommended value of 512MB.",
    186. 

  186. 								linkToDoc: null
    187. 

  187. 							},
    188. 

  188. 						},
    189. 

  189. 					},
    190. 

  190. 				})
    191. 

  191. 			);
    192. 

  192. 

  193. 			async.done(function( data, s, x ){
    194. 

  194. 				expect(data).toEqual([{
    195. 

  195. 					msg: 'The PHP memory limit is below the recommended value of 512MB.',
    196. 

  196. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    197. 

  197. 				}]);
    198. 

  198. 				done();
    199. 

  199. 			});
    200. 

  200. 		});
    201. 

  201. 

  202. 		it('should return an error if the response has no statuscode 200', function(done) {
    203. 

  203. 			var async = OC.SetupChecks.checkSetup();
    204. 

  204. 

  205. 			suite.server.requests[0].respond(
    206. 

  206. 				500,
    207. 

  207. 				{
    208. 

  208. 					'Content-Type': 'application/json'
    209. 

  209. 				},
    210. 

  210. 				JSON.stringify({data: {serverHasInternetConnectionProblems: true}})
    211. 

  211. 			);
    212. 

  212. 

  213. 			async.done(function( data, s, x ){
    214. 

  214. 				expect(data).toEqual([{
    215. 

  215. 					msg: 'Error occurred while checking server setup',
    216. 

  216. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    217. 

  217. 				}]);
    218. 

  218. 				done();
    219. 

  219. 			});
    220. 

  220. 		});
    221. 

  221. 

  222. 		it('should return an error if the php version is no longer supported', function(done) {
    223. 

  223. 			var async = OC.SetupChecks.checkSetup();
    224. 

  224. 

  225. 			suite.server.requests[0].respond(
    226. 

  226. 				200,
    227. 

  227. 				{
    228. 

  228. 					'Content-Type': 'application/json',
    229. 

  229. 				},
    230. 

  230. 				JSON.stringify({
    231. 

  231. 					generic: {
    232. 

  232. 						network: {
    233. 

  233. 							"Internet connectivity": {
    234. 

  234. 								severity: "success",
    235. 

  235. 								description: null,
    236. 

  236. 								linkToDoc: null
    237. 

  237. 							}
    238. 

  238. 						},
    239. 

  239. 						security: {
    240. 

  240. 							"Checking for PHP version": {
    241. 

  241. 								severity: "warning",
    242. 

  242. 								description: "You are currently running PHP 8.0.30. PHP 8.0 is now deprecated in Nextcloud 27. Nextcloud 28 may require at least PHP 8.1. Please upgrade to one of the officially supported PHP versions provided by the PHP Group as soon as possible.",
    243. 

  243. 								linkToDoc: "https://secure.php.net/supported-versions.php"
    244. 

  244. 							}
    245. 

  245. 						},
    246. 

  246. 					},
    247. 

  247. 				})
    248. 

  248. 			);
    249. 

  249. 

  250. 			async.done(function( data, s, x ){
    251. 

  251. 				expect(data).toEqual([{
    252. 

  252. 					msg: 'You are currently running PHP 8.0.30. PHP 8.0 is now deprecated in Nextcloud 27. Nextcloud 28 may require at least PHP 8.1. Please upgrade to one of the officially supported PHP versions provided by the PHP Group as soon as possible. For more details see the <a target="_blank" rel="noreferrer noopener" class="external" href="https://secure.php.net/supported-versions.php">documentation ↗</a>.',
    253. 

  253. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    254. 

  254. 				}]);
    255. 

  255. 				done();
    256. 

  256. 			});
    257. 

  257. 		});
    258. 

  258. 

  259. 		it('should not return an error if the protocol is http and the server generates http links', function(done) {
    260. 

  260. 			var async = OC.SetupChecks.checkSetup();
    261. 

  261. 

  262. 			suite.server.requests[0].respond(
    263. 

  263. 				200,
    264. 

  264. 				{
    265. 

  265. 					'Content-Type': 'application/json',
    266. 

  266. 				},
    267. 

  267. 				JSON.stringify({
    268. 

  268. 					generic: {
    269. 

  269. 						network: {
    270. 

  270. 							"Internet connectivity": {
    271. 

  271. 								severity: "success",
    272. 

  272. 								description: null,
    273. 

  273. 								linkToDoc: null
    274. 

  274. 							}
    275. 

  275. 						},
    276. 

  276. 					},
    277. 

  277. 				})
    278. 

  278. 			);
    279. 

  279. 

  280. 			async.done(function( data, s, x ){
    281. 

  281. 				expect(data).toEqual([]);
    282. 

  282. 				done();
    283. 

  283. 			});
    284. 

  284. 		});
    285. 

  285. 

  286. 		it('should return an info if there is no default phone region', function(done) {
    287. 

  287. 			var async = OC.SetupChecks.checkSetup();
    288. 

  288. 

  289. 			suite.server.requests[0].respond(
    290. 

  290. 				200,
    291. 

  291. 				{
    292. 

  292. 					'Content-Type': 'application/json',
    293. 

  293. 				},
    294. 

  294. 				JSON.stringify({
    295. 

  295. 					generic: {
    296. 

  296. 						network: {
    297. 

  297. 							"Internet connectivity": {
    298. 

  298. 								severity: "success",
    299. 

  299. 								description: null,
    300. 

  300. 								linkToDoc: null
    301. 

  301. 							}
    302. 

  302. 						},
    303. 

  303. 						config: {
    304. 

  304. 							"Checking for default phone region": {
    305. 

  305. 								severity: "info",
    306. 

  306. 								description: "Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add \"default_phone_region\" with the respective ISO 3166-1 code of the region to your config file.",
    307. 

  307. 								linkToDoc: "https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements"
    308. 

  308. 							},
    309. 

  309. 						},
    310. 

  310. 					},
    311. 

  311. 				})
    312. 

  312. 			);
    313. 

  313. 

  314. 			async.done(function( data, s, x ){
    315. 

  315. 				expect(data).toEqual([{
    316. 

  316. 					msg: 'Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add &quot;default_phone_region&quot; with the respective ISO 3166-1 code of the region to your config file. For more details see the <a target="_blank" rel="noreferrer noopener" class="external" href="https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements">documentation ↗</a>.',
    317. 

  317. 					type: OC.SetupChecks.MESSAGE_TYPE_INFO
    318. 

  318. 				}]);
    319. 

  319. 				done();
    320. 

  320. 			});
    321. 

  321. 		});
    322. 

  322. 	});
    323. 

  323. 

  324. 	describe('checkGeneric', function() {
    325. 

  325. 		it('should return an error if the response has no statuscode 200', function(done) {
    326. 

  326. 			var async = OC.SetupChecks.checkGeneric();
    327. 

  327. 

  328. 			suite.server.requests[0].respond(
    329. 

  329. 				500,
    330. 

  330. 				{
    331. 

  331. 					'Content-Type': 'application/json'
    332. 

  332. 				}
    333. 

  333. 			);
    334. 

  334. 

  335. 			async.done(function( data, s, x ){
    336. 

  336. 				expect(data).toEqual([{
    337. 

  337. 					msg: 'Error occurred while checking server setup',
    338. 

  338. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    339. 

  339. 				},{
    340. 

  340. 					msg: 'Error occurred while checking server setup',
    341. 

  341. 					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    342. 

  342. 				}]);
    343. 

  343. 				done();
    344. 

  344. 			});
    345. 

  345. 		});
    346. 

  346. 

  347. 		it('should return all errors if all headers are missing', function(done) {
    348. 

  348. 			protocolStub.returns('https');
    349. 

  349. 			var async = OC.SetupChecks.checkGeneric();
    350. 

  350. 

  351. 			suite.server.requests[0].respond(
    352. 

  352. 				200,
    353. 

  353. 				{
    354. 

  354. 					'Content-Type': 'application/json',
    355. 

  355. 					'Strict-Transport-Security': 'max-age=15768000'
    356. 

  356. 				},
    357. 

  357. 				'{}'
    358. 

  358. 			);
    359. 

  359. 

  360. 			async.done(function( data, s, x ){
    361. 

  361. 				expect(data).toEqual([
    362. 

  362. 				{
    363. 

  363. 					msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    364. 

  364. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    365. 

  365. 				}, {
    366. 

  366. 					msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    367. 

  367. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    368. 

  368. 				}, {
    369. 

  369. 					msg: 'The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    370. 

  370. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    371. 

  371. 				}, {
    372. 

  372. 					msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    373. 

  373. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    374. 

  374. 				}, {
    375. 

  375. 					msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    376. 

  376. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    377. 

  377. 				}, {
    378. 

  378. 					msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
    379. 

  379. 					type: OC.SetupChecks.MESSAGE_TYPE_INFO
    380. 

  380. 				}
    381. 

  381. 				]);
    382. 

  382. 				done();
    383. 

  383. 			});
    384. 

  384. 		});
    385. 

  385. 

  386. 		it('should return only some errors if just some headers are missing', function(done) {
    387. 

  387. 			protocolStub.returns('https');
    388. 

  388. 			var async = OC.SetupChecks.checkGeneric();
    389. 

  389. 

  390. 			suite.server.requests[0].respond(
    391. 

  391. 				200,
    392. 

  392. 				{
    393. 

  393. 					'X-Robots-Tag': 'noindex, nofollow',
    394. 

  394. 					'X-Frame-Options': 'SAMEORIGIN',
    395. 

  395. 					'Strict-Transport-Security': 'max-age=15768000;preload',
    396. 

  396. 					'X-Permitted-Cross-Domain-Policies': 'none',
    397. 

  397. 					'Referrer-Policy': 'no-referrer',
    398. 

  398. 				}
    399. 

  399. 			);
    400. 

  400. 

  401. 			async.done(function( data, s, x ){
    402. 

  402. 				expect(data).toEqual([
    403. 

  403. 				{
    404. 

  404. 					msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    405. 

  405. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    406. 

  406. 				}, {
    407. 

  407. 					msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    408. 

  408. 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
    409. 

  409. 				}
    410. 

  410. 				]);
    411. 

  411. 				done();
    412. 

  412. 			});
    413. 

  413. 		});
    414. 

  414. 

  415. 		it('should return none errors if all headers are there', function(done) {
    416. 

  416. 			protocolStub.returns('https');
    417. 

  417. 			var async = OC.SetupChecks.checkGeneric();
    418. 

  418. 

  419. 			suite.server.requests[0].respond(
    420. 

  420. 				200,
    421. 

  421. 				{
    422. 

  422. 					'X-XSS-Protection': '1; mode=block',
    423. 

  423. 					'X-Content-Type-Options': 'nosniff',
    424. 

  424. 					'X-Robots-Tag': 'noindex, nofollow',
    425. 

  425. 					'X-Frame-Options': 'SAMEORIGIN',
    426. 

  426. 					'Strict-Transport-Security': 'max-age=15768000',
    427. 

  427. 					'X-Permitted-Cross-Domain-Policies': 'none',
    428. 

  428. 					'Referrer-Policy': 'no-referrer'
    429. 

  429. 				}
    430. 

  430. 			);
    431. 

  431. 

  432. 			async.done(function( data, s, x ){
    433. 

  433. 				expect(data).toEqual([]);
    434. 

  434. 				done();
    435. 

  435. 			});
    436. 

  436. 		});
    437. 

  437. 

  438. 		describe('check X-Robots-Tag header', function() {
    439. 

  439. 			it('should return no message if X-Robots-Tag is set to noindex,nofollow without space', function(done) {
    440. 

  440. 				protocolStub.returns('https');
    441. 

  441. 				var result = OC.SetupChecks.checkGeneric();
    442. 

  442. 				suite.server.requests[0].respond(200, {
    443. 

  443. 					'Strict-Transport-Security': 'max-age=15768000',
    444. 

  444. 					'X-XSS-Protection': '1; mode=block',
    445. 

  445. 					'X-Content-Type-Options': 'nosniff',
    446. 

  446. 					'X-Robots-Tag': 'noindex,nofollow',
    447. 

  447. 					'X-Frame-Options': 'SAMEORIGIN',
    448. 

  448. 					'X-Permitted-Cross-Domain-Policies': 'none',
    449. 

  449. 					'Referrer-Policy': 'no-referrer',
    450. 

  450. 				});
    451. 

  451. 				result.done(function( data, s, x ){
    452. 

  452. 					expect(data).toEqual([]);
    453. 

  453. 					done();
    454. 

  454. 				});
    455. 

  455. 			});
    456. 

  456. 

  457. 			it('should return a message if X-Robots-Tag is set to none', function(done) {
    458. 

  458. 				protocolStub.returns('https');
    459. 

  459. 				var result = OC.SetupChecks.checkGeneric();
    460. 

  460. 				suite.server.requests[0].respond(200, {
    461. 

  461. 					'Strict-Transport-Security': 'max-age=15768000',
    462. 

  462. 					'X-XSS-Protection': '1; mode=block',
    463. 

  463. 					'X-Content-Type-Options': 'nosniff',
    464. 

  464. 					'X-Robots-Tag': 'none',
    465. 

  465. 					'X-Frame-Options': 'SAMEORIGIN',
    466. 

  466. 					'X-Permitted-Cross-Domain-Policies': 'none',
    467. 

  467. 					'Referrer-Policy': 'no-referrer',
    468. 

  468. 				});
    469. 

  469. 				result.done(function( data, s, x ){
    470. 

  470. 					expect(data).toEqual([
    471. 

  471. 						{
    472. 

  472. 							msg: 'The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    473. 

  473. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    474. 

  474. 						}
    475. 

  475. 					]);
    476. 

  476. 					done();
    477. 

  477. 				});
    478. 

  478. 			});
    479. 

  479. 		});
    480. 

  480. 

  481. 		describe('check X-XSS-Protection header', function() {
    482. 

  482. 			it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) {
    483. 

  483. 				protocolStub.returns('https');
    484. 

  484. 				var result = OC.SetupChecks.checkGeneric();
    485. 

  485. 

  486. 				suite.server.requests[0].respond(200, {
    487. 

  487. 					'Strict-Transport-Security': 'max-age=15768000',
    488. 

  488. 					'X-XSS-Protection': '1; mode=block; report=https://example.com',
    489. 

  489. 					'X-Content-Type-Options': 'nosniff',
    490. 

  490. 					'X-Robots-Tag': 'noindex, nofollow',
    491. 

  491. 					'X-Frame-Options': 'SAMEORIGIN',
    492. 

  492. 					'X-Permitted-Cross-Domain-Policies': 'none',
    493. 

  493. 					'Referrer-Policy': 'no-referrer',
    494. 

  494. 				});
    495. 

  495. 

  496. 				result.done(function( data, s, x ){
    497. 

  497. 					expect(data).toEqual([]);
    498. 

  498. 					done();
    499. 

  499. 				});
    500. 

  500. 			});
    501. 

  501. 

  502. 			it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) {
    503. 

  503. 				protocolStub.returns('https');
    504. 

  504. 				var result = OC.SetupChecks.checkGeneric();
    505. 

  505. 

  506. 				suite.server.requests[0].respond(200, {
    507. 

  507. 					'Strict-Transport-Security': 'max-age=15768000',
    508. 

  508. 					'X-XSS-Protection': '1; mode=block',
    509. 

  509. 					'X-Content-Type-Options': 'nosniff',
    510. 

  510. 					'X-Robots-Tag': 'noindex, nofollow',
    511. 

  511. 					'X-Frame-Options': 'SAMEORIGIN',
    512. 

  512. 					'X-Permitted-Cross-Domain-Policies': 'none',
    513. 

  513. 					'Referrer-Policy': 'no-referrer',
    514. 

  514. 				});
    515. 

  515. 

  516. 				result.done(function( data, s, x ){
    517. 

  517. 					expect(data).toEqual([]);
    518. 

  518. 					done();
    519. 

  519. 				});
    520. 

  520. 			});
    521. 

  521. 

  522. 			it('should return a message if X-XSS-Protection is set to 1', function(done) {
    523. 

  523. 				protocolStub.returns('https');
    524. 

  524. 				var result = OC.SetupChecks.checkGeneric();
    525. 

  525. 

  526. 				suite.server.requests[0].respond(200, {
    527. 

  527. 					'Strict-Transport-Security': 'max-age=15768000',
    528. 

  528. 					'X-XSS-Protection': '1',
    529. 

  529. 					'X-Content-Type-Options': 'nosniff',
    530. 

  530. 					'X-Robots-Tag': 'noindex, nofollow',
    531. 

  531. 					'X-Frame-Options': 'SAMEORIGIN',
    532. 

  532. 					'X-Permitted-Cross-Domain-Policies': 'none',
    533. 

  533. 					'Referrer-Policy': 'no-referrer',
    534. 

  534. 				});
    535. 

  535. 

  536. 				result.done(function( data, s, x ){
    537. 

  537. 					expect(data).toEqual([
    538. 

  538. 						{
    539. 

  539. 							msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    540. 

  540. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    541. 

  541. 						}
    542. 

  542. 					]);
    543. 

  543. 					done();
    544. 

  544. 				});
    545. 

  545. 			});
    546. 

  546. 

  547. 			it('should return a message if X-XSS-Protection is set to 0', function(done) {
    548. 

  548. 				protocolStub.returns('https');
    549. 

  549. 				var result = OC.SetupChecks.checkGeneric();
    550. 

  550. 

  551. 				suite.server.requests[0].respond(200, {
    552. 

  552. 					'Strict-Transport-Security': 'max-age=15768000',
    553. 

  553. 					'X-XSS-Protection': '0',
    554. 

  554. 					'X-Content-Type-Options': 'nosniff',
    555. 

  555. 					'X-Robots-Tag': 'noindex, nofollow',
    556. 

  556. 					'X-Frame-Options': 'SAMEORIGIN',
    557. 

  557. 					'X-Permitted-Cross-Domain-Policies': 'none',
    558. 

  558. 					'Referrer-Policy': 'no-referrer',
    559. 

  559. 				});
    560. 

  560. 

  561. 				result.done(function( data, s, x ){
    562. 

  562. 					expect(data).toEqual([
    563. 

  563. 						{
    564. 

  564. 							msg: 'The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
    565. 

  565. 							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    566. 

  566. 						}
    567. 

  567. 					]);
    568. 

  568. 					done();
    569. 

  569. 				});
    570. 

  570. 			});
    571. 

  571. 		});
    572. 

  572. 

  573. 		describe('check Referrer-Policy header', function() {
    574. 

  574. 			it('should return no message if Referrer-Policy is set to no-referrer', function(done) {
    575. 

  575. 				protocolStub.returns('https');
    576. 

  576. 				var result = OC.SetupChecks.checkGeneric();
    577. 

  577. 

  578. 				suite.server.requests[0].respond(200, {
    579. 

  579. 					'Strict-Transport-Security': 'max-age=15768000',
    580. 

  580. 					'X-XSS-Protection': '1; mode=block',
    581. 

  581. 					'X-Content-Type-Options': 'nosniff',
    582. 

  582. 					'X-Robots-Tag': 'noindex, nofollow',
    583. 

  583. 					'X-Frame-Options': 'SAMEORIGIN',
    584. 

  584. 					'X-Permitted-Cross-Domain-Policies': 'none',
    585. 

  585. 					'Referrer-Policy': 'no-referrer',
    586. 

  586. 				});
    587. 

  587. 

  588. 				result.done(function( data, s, x ){
    589. 

  589. 					expect(data).toEqual([]);
    590. 

  590. 					done();
    591. 

  591. 				});
    592. 

  592. 			});
    593. 

  593. 

  594. 			it('should return no message if Referrer-Policy is set to no-referrer-when-downgrade', function(done) {
    595. 

  595. 				protocolStub.returns('https');
    596. 

  596. 				var result = OC.SetupChecks.checkGeneric();
    597. 

  597. 

  598. 				suite.server.requests[0].respond(200, {
    599. 

  599. 					'Strict-Transport-Security': 'max-age=15768000',
    600. 

  600. 					'X-XSS-Protection': '1; mode=block',
    601. 

  601. 					'X-Content-Type-Options': 'nosniff',
    602. 

  602. 					'X-Robots-Tag': 'noindex, nofollow',
    603. 

  603. 					'X-Frame-Options': 'SAMEORIGIN',
    604. 

  604. 					'X-Permitted-Cross-Domain-Policies': 'none',
    605. 

  605. 					'Referrer-Policy': 'no-referrer-when-downgrade',
    606. 

  606. 				});
    607. 

  607. 

  608. 				result.done(function( data, s, x ){
    609. 

  609. 					expect(data).toEqual([]);
    610. 

  610. 					done();
    611. 

  611. 				});
    612. 

  612. 			});
    613. 

  613. 

  614. 			it('should return no message if Referrer-Policy is set to strict-origin', function(done) {
    615. 

  615. 				protocolStub.returns('https');
    616. 

  616. 				var result = OC.SetupChecks.checkGeneric();
    617. 

  617. 

  618. 				suite.server.requests[0].respond(200, {
    619. 

  619. 					'Strict-Transport-Security': 'max-age=15768000',
    620. 

  620. 					'X-XSS-Protection': '1; mode=block',
    621. 

  621. 					'X-Content-Type-Options': 'nosniff',
    622. 

  622. 					'X-Robots-Tag': 'noindex, nofollow',
    623. 

  623. 					'X-Frame-Options': 'SAMEORIGIN',
    624. 

  624. 					'X-Permitted-Cross-Domain-Policies': 'none',
    625. 

  625. 					'Referrer-Policy': 'strict-origin',
    626. 

  626. 				});
    627. 

  627. 

  628. 				result.done(function( data, s, x ){
    629. 

  629. 					expect(data).toEqual([]);
    630. 

  630. 					done();
    631. 

  631. 				});
    632. 

  632. 			});
    633. 

  633. 

  634. 			it('should return no message if Referrer-Policy is set to strict-origin-when-cross-origin', function(done) {
    635. 

  635. 				protocolStub.returns('https');
    636. 

  636. 				var result = OC.SetupChecks.checkGeneric();
    637. 

  637. 

  638. 				suite.server.requests[0].respond(200, {
    639. 

  639. 					'Strict-Transport-Security': 'max-age=15768000',
    640. 

  640. 					'X-XSS-Protection': '1; mode=block',
    641. 

  641. 					'X-Content-Type-Options': 'nosniff',
    642. 

  642. 					'X-Robots-Tag': 'noindex, nofollow',
    643. 

  643. 					'X-Frame-Options': 'SAMEORIGIN',
    644. 

  644. 					'X-Permitted-Cross-Domain-Policies': 'none',
    645. 

  645. 					'Referrer-Policy': 'strict-origin-when-cross-origin',
    646. 

  646. 				});
    647. 

  647. 

  648. 				result.done(function( data, s, x ){
    649. 

  649. 					expect(data).toEqual([]);
    650. 

  650. 					done();
    651. 

  651. 				});
    652. 

  652. 			});
    653. 

  653. 

  654. 			it('should return no message if Referrer-Policy is set to same-origin', function(done) {
    655. 

  655. 				protocolStub.returns('https');
    656. 

  656. 				var result = OC.SetupChecks.checkGeneric();
    657. 

  657. 

  658. 				suite.server.requests[0].respond(200, {
    659. 

  659. 					'Strict-Transport-Security': 'max-age=15768000',
    660. 

  660. 					'X-XSS-Protection': '1; mode=block',
    661. 

  661. 					'X-Content-Type-Options': 'nosniff',
    662. 

  662. 					'X-Robots-Tag': 'noindex, nofollow',
    663. 

  663. 					'X-Frame-Options': 'SAMEORIGIN',
    664. 

  664. 					'X-Permitted-Cross-Domain-Policies': 'none',
    665. 

  665. 					'Referrer-Policy': 'same-origin',
    666. 

  666. 				});
    667. 

  667. 

  668. 				result.done(function( data, s, x ){
    669. 

  669. 					expect(data).toEqual([]);
    670. 

  670. 					done();
    671. 

  671. 				});
    672. 

  672. 			});
    673. 

  673. 

  674. 			it('should return a message if Referrer-Policy is set to origin', function(done) {
    675. 

  675. 				protocolStub.returns('https');
    676. 

  676. 				var result = OC.SetupChecks.checkGeneric();
    677. 

  677. 

  678. 				suite.server.requests[0].respond(200, {
    679. 

  679. 					'Strict-Transport-Security': 'max-age=15768000',
    680. 

  680. 					'X-XSS-Protection': '1; mode=block',
    681. 

  681. 					'X-Content-Type-Options': 'nosniff',
    682. 

  682. 					'X-Robots-Tag': 'noindex, nofollow',
    683. 

  683. 					'X-Frame-Options': 'SAMEORIGIN',
    684. 

  684. 					'X-Permitted-Cross-Domain-Policies': 'none',
    685. 

  685. 					'Referrer-Policy': 'origin',
    686. 

  686. 				});
    687. 

  687. 

  688. 				result.done(function( data, s, x ){
    689. 

  689. 					expect(data).toEqual([
    690. 

  690. 						{
    691. 

  691. 							msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
    692. 

  692. 							type: OC.SetupChecks.MESSAGE_TYPE_INFO
    693. 

  693. 						}
    694. 

  694. 					]);
    695. 

  695. 					done();
    696. 

  696. 				});
    697. 

  697. 			});
    698. 

  698. 

  699. 			it('should return a message if Referrer-Policy is set to origin-when-cross-origin', function(done) {
    700. 

  700. 				protocolStub.returns('https');
    701. 

  701. 				var result = OC.SetupChecks.checkGeneric();
    702. 

  702. 

  703. 				suite.server.requests[0].respond(200, {
    704. 

  704. 					'Strict-Transport-Security': 'max-age=15768000',
    705. 

  705. 					'X-XSS-Protection': '1; mode=block',
    706. 

  706. 					'X-Content-Type-Options': 'nosniff',
    707. 

  707. 					'X-Robots-Tag': 'noindex, nofollow',
    708. 

  708. 					'X-Frame-Options': 'SAMEORIGIN',
    709. 

  709. 					'X-Permitted-Cross-Domain-Policies': 'none',
    710. 

  710. 					'Referrer-Policy': 'origin-when-cross-origin',
    711. 

  711. 				});
    712. 

  712. 

  713. 				result.done(function( data, s, x ){
    714. 

  714. 					expect(data).toEqual([
    715. 

  715. 						{
    716. 

  716. 							msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
    717. 

  717. 							type: OC.SetupChecks.MESSAGE_TYPE_INFO
    718. 

  718. 						}
    719. 

  719. 					]);
    720. 

  720. 					done();
    721. 

  721. 				});
    722. 

  722. 			});
    723. 

  723. 

  724. 			it('should return a message if Referrer-Policy is set to unsafe-url', function(done) {
    725. 

  725. 				protocolStub.returns('https');
    726. 

  726. 				var result = OC.SetupChecks.checkGeneric();
    727. 

  727. 

  728. 				suite.server.requests[0].respond(200, {
    729. 

  729. 					'Strict-Transport-Security': 'max-age=15768000',
    730. 

  730. 					'X-XSS-Protection': '1; mode=block',
    731. 

  731. 					'X-Content-Type-Options': 'nosniff',
    732. 

  732. 					'X-Robots-Tag': 'noindex, nofollow',
    733. 

  733. 					'X-Frame-Options': 'SAMEORIGIN',
    734. 

  734. 					'X-Permitted-Cross-Domain-Policies': 'none',
    735. 

  735. 					'Referrer-Policy': 'unsafe-url',
    736. 

  736. 				});
    737. 

  737. 

  738. 				result.done(function( data, s, x ){
    739. 

  739. 					expect(data).toEqual([
    740. 

  740. 						{
    741. 

  741. 							msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" class="external" href="https://www.w3.org/TR/referrer-policy/">W3C Recommendation ↗</a>.',
    742. 

  742. 							type: OC.SetupChecks.MESSAGE_TYPE_INFO
    743. 

  743. 						}
    744. 

  744. 					]);
    745. 

  745. 					done();
    746. 

  746. 				});
    747. 

  747. 			});
    748. 

  748. 		});
    749. 

  749. 	});
    750. 

  750. 

  751. 	it('should return an error if the response has no statuscode 200', function(done) {
    752. 

  752. 		var async = OC.SetupChecks.checkGeneric();
    753. 

  753. 

  754. 		suite.server.requests[0].respond(
    755. 

  755. 			500,
    756. 

  756. 			{
    757. 

  757. 				'Content-Type': 'application/json'
    758. 

  758. 			},
    759. 

  759. 			JSON.stringify({data: {serverHasInternetConnectionProblems: true}})
    760. 

  760. 		);
    761. 

  761. 		async.done(function( data, s, x ){
    762. 

  762. 			expect(data).toEqual([{
    763. 

  763. 				msg: 'Error occurred while checking server setup',
    764. 

  764. 				type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    765. 

  765. 			}, {
    766. 

  766. 				msg: 'Error occurred while checking server setup',
    767. 

  767. 				type: OC.SetupChecks.MESSAGE_TYPE_ERROR
    768. 

  768. 			}]);
    769. 

  769. 			done();
    770. 

  770. 		});
    771. 

  771. 	});
    772. 

  772. 

  773. 	it('should return a SSL warning if SSL used without Strict-Transport-Security-Header', function(done) {
    774. 

  774. 		protocolStub.returns('https');
    775. 

  775. 		var async = OC.SetupChecks.checkGeneric();
    776. 

  776. 

  777. 		suite.server.requests[0].respond(200,
    778. 

  778. 			{
    779. 

  779. 				'X-XSS-Protection': '1; mode=block',
    780. 

  780. 				'X-Content-Type-Options': 'nosniff',
    781. 

  781. 				'X-Robots-Tag': 'noindex, nofollow',
    782. 

  782. 				'X-Frame-Options': 'SAMEORIGIN',
    783. 

  783. 				'X-Permitted-Cross-Domain-Policies': 'none',
    784. 

  784. 				'Referrer-Policy': 'no-referrer',
    785. 

  785. 			}
    786. 

  786. 		);
    787. 

  787. 

  788. 		async.done(function( data, s, x ){
    789. 

  789. 			expect(data).toEqual([{
    790. 

  790. 				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
    791. 

  791. 				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    792. 

  792. 			}]);
    793. 

  793. 			done();
    794. 

  794. 		});
    795. 

  795. 	});
    796. 

  796. 

  797. 	it('should return a SSL warning if SSL used with to small Strict-Transport-Security-Header', function(done) {
    798. 

  798. 		protocolStub.returns('https');
    799. 

  799. 		var async = OC.SetupChecks.checkGeneric();
    800. 

  800. 

  801. 		suite.server.requests[0].respond(200,
    802. 

  802. 			{
    803. 

  803. 				'Strict-Transport-Security': 'max-age=15551999',
    804. 

  804. 				'X-XSS-Protection': '1; mode=block',
    805. 

  805. 				'X-Content-Type-Options': 'nosniff',
    806. 

  806. 				'X-Robots-Tag': 'noindex, nofollow',
    807. 

  807. 				'X-Frame-Options': 'SAMEORIGIN',
    808. 

  808. 				'X-Permitted-Cross-Domain-Policies': 'none',
    809. 

  809. 				'Referrer-Policy': 'no-referrer',
    810. 

  810. 			}
    811. 

  811. 		);
    812. 

  812. 

  813. 		async.done(function( data, s, x ){
    814. 

  814. 			expect(data).toEqual([{
    815. 

  815. 				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
    816. 

  816. 				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    817. 

  817. 			}]);
    818. 

  818. 			done();
    819. 

  819. 		});
    820. 

  820. 	});
    821. 

  821. 

  822. 	it('should return a SSL warning if SSL used with to a bogus Strict-Transport-Security-Header', function(done) {
    823. 

  823. 		protocolStub.returns('https');
    824. 

  824. 		var async = OC.SetupChecks.checkGeneric();
    825. 

  825. 

  826. 		suite.server.requests[0].respond(200,
    827. 

  827. 			{
    828. 

  828. 				'Strict-Transport-Security': 'iAmABogusHeader342',
    829. 

  829. 				'X-XSS-Protection': '1; mode=block',
    830. 

  830. 				'X-Content-Type-Options': 'nosniff',
    831. 

  831. 				'X-Robots-Tag': 'noindex, nofollow',
    832. 

  832. 				'X-Frame-Options': 'SAMEORIGIN',
    833. 

  833. 				'X-Permitted-Cross-Domain-Policies': 'none',
    834. 

  834. 				'Referrer-Policy': 'no-referrer',
    835. 

  835. 			}
    836. 

  836. 		);
    837. 

  837. 

  838. 		async.done(function( data, s, x ){
    839. 

  839. 			expect(data).toEqual([{
    840. 

  840. 				msg: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
    841. 

  841. 				type: OC.SetupChecks.MESSAGE_TYPE_WARNING
    842. 

  842. 			}]);
    843. 

  843. 			done();
    844. 

  844. 		});
    845. 

  845. 	});
    846. 

  846. 

  847. 	it('should return no SSL warning if SSL used with to exact the minimum Strict-Transport-Security-Header', function(done) {
    848. 

  848. 		protocolStub.returns('https');
    849. 

  849. 		var async = OC.SetupChecks.checkGeneric();
    850. 

  850. 

  851. 		suite.server.requests[0].respond(200, {
    852. 

  852. 			'Strict-Transport-Security': 'max-age=15768000',
    853. 

  853. 			'X-XSS-Protection': '1; mode=block',
    854. 

  854. 			'X-Content-Type-Options': 'nosniff',
    855. 

  855. 			'X-Robots-Tag': 'noindex, nofollow',
    856. 

  856. 			'X-Frame-Options': 'SAMEORIGIN',
    857. 

  857. 			'X-Permitted-Cross-Domain-Policies': 'none',
    858. 

  858. 			'Referrer-Policy': 'no-referrer',
    859. 

  859. 		});
    860. 

  860. 

  861. 		async.done(function( data, s, x ){
    862. 

  862. 			expect(data).toEqual([]);
    863. 

  863. 			done();
    864. 

  864. 		});
    865. 

  865. 	});
    866. 

  866. 

  867. 	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header', function(done) {
    868. 

  868. 		protocolStub.returns('https');
    869. 

  869. 		var async = OC.SetupChecks.checkGeneric();
    870. 

  870. 

  871. 		suite.server.requests[0].respond(200, {
    872. 

  872. 			'Strict-Transport-Security': 'max-age=99999999',
    873. 

  873. 			'X-XSS-Protection': '1; mode=block',
    874. 

  874. 			'X-Content-Type-Options': 'nosniff',
    875. 

  875. 			'X-Robots-Tag': 'noindex, nofollow',
    876. 

  876. 			'X-Frame-Options': 'SAMEORIGIN',
    877. 

  877. 			'X-Permitted-Cross-Domain-Policies': 'none',
    878. 

  878. 			'Referrer-Policy': 'no-referrer',
    879. 

  879. 		});
    880. 

  880. 

  881. 		async.done(function( data, s, x ){
    882. 

  882. 			expect(data).toEqual([]);
    883. 

  883. 			done();
    884. 

  884. 		});
    885. 

  885. 	});
    886. 

  886. 

  887. 	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains parameter', function(done) {
    888. 

  888. 		protocolStub.returns('https');
    889. 

  889. 		var async = OC.SetupChecks.checkGeneric();
    890. 

  890. 

  891. 		suite.server.requests[0].respond(200, {
    892. 

  892. 			'Strict-Transport-Security': 'max-age=99999999; includeSubDomains',
    893. 

  893. 			'X-XSS-Protection': '1; mode=block',
    894. 

  894. 			'X-Content-Type-Options': 'nosniff',
    895. 

  895. 			'X-Robots-Tag': 'noindex, nofollow',
    896. 

  896. 			'X-Frame-Options': 'SAMEORIGIN',
    897. 

  897. 			'X-Permitted-Cross-Domain-Policies': 'none',
    898. 

  898. 			'Referrer-Policy': 'no-referrer',
    899. 

  899. 		});
    900. 

  900. 

  901. 		async.done(function( data, s, x ){
    902. 

  902. 			expect(data).toEqual([]);
    903. 

  903. 			done();
    904. 

  904. 		});
    905. 

  905. 	});
    906. 

  906. 

  907. 	it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter', function(done) {
    908. 

  908. 		protocolStub.returns('https');
    909. 

  909. 		var async = OC.SetupChecks.checkGeneric();
    910. 

  910. 

  911. 		suite.server.requests[0].respond(200, {
    912. 

  912. 			'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains',
    913. 

  913. 			'X-XSS-Protection': '1; mode=block',
    914. 

  914. 			'X-Content-Type-Options': 'nosniff',
    915. 

  915. 			'X-Robots-Tag': 'noindex, nofollow',
    916. 

  916. 			'X-Frame-Options': 'SAMEORIGIN',
    917. 

  917. 			'X-Permitted-Cross-Domain-Policies': 'none',
    918. 

  918. 			'Referrer-Policy': 'no-referrer',
    919. 

  919. 		});
    920. 

  920. 

  921. 		async.done(function( data, s, x ){
    922. 

  922. 			expect(data).toEqual([]);
    923. 

  923. 			done();
    924. 

  924. 		});
    925. 

  925. 	});
    926. 

  926. });
    927.