Reversed X-XSS

[AaronSadlerUK]

Prerequisites

Fixes #13341

Description

This reverses the health check to warn if it does exist with a link to the Mozilla website which explains why it should not exist

I have also changed the readmore button to be nullable (it's not always required) and added a bool to reverse the check in the base class

[github-actions]

Hi there @AaronSadlerUK, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

• It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
• The automated tests all pass (see "Checks" tab on this PR)
• The level of security for this contribution is the same or improved
• The level of performance for this contribution is the same or improved
• Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
• If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
• 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[tristanjthompson]

Bristol Hackathon testing!

I've tested a vanilla install without the X-XSS-Protection header and the health check correctly passed and looks as follows ✔️

I've updated the install to produce the X-XSS-Protection header, and the health check correctly failed and looks as follows ✔️

Clicking the "Mozilla" link shold take me to the Mozilla info page with more info on the header, however it takes me to the Umbraco docs for the health check ❌

• Expected URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
• Actual URL: https://docs.umbraco.com/umbraco-cms/extending/health-check

Just need to update that URL and I'm happy it's passing 👍

[AaronSadlerUK]

Corrected in commit 5d07968

Thanks!

[tristanjthompson]

Re-testing:

• X-XSS-Protection header not present - health check passes ✅
• X-XSS-Protection header present:
  • Check fails ✅
  • Link to Mozilla takes you to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection ✅

Testing passed ✅✅✅ thanks @AaronSadlerUK!

[nul800sebastiaan]

Teamwork, thanks very much both, this is now merged for 11.3! 👍

[nul800sebastiaan]

Hey @AaronSadlerUK! In all my excitement and GitHub not showing the builld failing I merged this with not a glance at the code, but unfortunately we have a few breaking changes there so we had to roll this one back unfortunately. It would be really great if you'd like to try this one again though!

The changes that were breaking:

• Removing public const XssProtectionCheck is a binary breaking change
• Adding more arguments to the public class BaseHttpHeaderCheck is a breaking change
• And although making the ReadMoreLink property nullable isn't a binary breaking change, it is a compiler breaking change, since it might require adding a null check (and can even fail rebuilding when you have <WarningsAsErrors>Nullable</WarningsAsErrors> set).

I have't looked deeply into this PR at all but if you could address the above issues then we could give it another go! Thanks again for this attempt and sorry that I was a bit too quick on the trigger on merging this one.

[JasonElkin]

I don't think the BaseHttpHeaderCheck is a good abstraction for what we're trying to do here - hence needing breaking changes to make it useful.

I started working on a PR to obsolete it. For a proper separation of concerns I think we need an "IHttpHeader" service (or helper) - it really doesn't make sense to encapsulate the general HTTP Header checks inside a base healthcheck.

Also, judging by the MDN docs, we don't necessarily want to ensure it's not there - we need to check its actual value.