Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc-test-automation / c2837c9839705ce7dc942688bc76fd4199749d68^! / . / redfish / service_root / test_service_root_security.robot
commitc2837c9839705ce7dc942688bc76fd4199749d68[log] [tgz]
authorGeorge Keishing <gkeishin@in.ibm.com>Fri Jul 28 20:26:03 2023 +0530
committerGeorge Keishing <gkeishin@in.ibm.com>Fri Jul 28 20:28:46 2023 +0530
treedd021c393e9b0d2e2fa11ee3c789c6cad8ca1ad0
parent011c5f3b6e8054d2d53aa23e02b846b2ab372aa9 [diff] [blame]
HTTPS response header security update changes

Refer: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/64205
       https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Changes:
     - Update the HTTPS response header paramters for checking

Tested:
     - Upstream build and ran from sandbox changes

Change-Id: I4ce367a812d4843c1e4c961ca0a804b8b8c76105
Signed-off-by: George Keishing <gkeishin@in.ibm.com>

diff --git a/redfish/service_root/test_service_root_security.robot b/redfish/service_root/test_service_root_security.robot
index 04520bc..9a567b3 100644
--- a/redfish/service_root/test_service_root_security.robot
+++ b/redfish/service_root/test_service_root_security.robot

@@ -11,13 +11,17 @@
 
 ${LOGIN_SESSION_COUNT}   ${50}
 
-&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
+&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains
 ...                     X-Frame-Options=DENY
 ...                     Pragma=no-cache
-...                     Cache-Control=no-Store,no-Cache
-...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
-...                     X-XSS-Protection=1; mode=block
+...                     Cache-Control=no-store, max-age=0
+...                     Referrer-Policy=no-referrer
 ...                     X-Content-Type-Options=nosniff
+...                     X-Permitted-Cross-Domain-Policies=none
+...                     Cross-Origin-Embedder-Policy=require-corp
+...                     Cross-Origin-Opener-Policy=same-origin
+...                     Cross-Origin-Resource-Policy=same-origin
+...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
 
 *** Test Cases ***
 
@@ -112,13 +116,18 @@
     [Tags]  Login_And_Verify_HTTP_Response_Header
 
     # Example of HTTP redfish response header.
-    # Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
+    # Strict-Transport-Security: max-age=31536000; includeSubdomains
     # X-Frame-Options: DENY
     # Pragma: no-cache
-    # Cache-Control: no-Store,no-Cache
-    # Content-Security-Policy: default-src 'self'; img-src 'self' data:
-    # X-XSS-Protection: 1; mode=block
+    # Cache-Control: no-store, max-age=0
     # X-Content-Type-Options: nosniff
+    # Referrer-Policy: no-referrer
+    # X-Permitted-Cross-Domain-Policies: none
+    # Cross-Origin-Embedder-Policy: require-corp
+    # Cross-Origin-Opener-Policy: same-origin
+    # Cross-Origin-Resource-Policy: same-origin
+    # Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
+
 
     Rprint Vars  header_requirements  fmt=1
 
@@ -127,18 +136,20 @@
 
     # The getheaders() method returns the headers as a list of tuples:
     # headers:
-    #    [Strict-Transport-Security]:        max-age=31536000; includeSubdomains; preload
-    #    [X-Frame-Options]:                  DENY
-    #    [Pragma]:                           no-cache
-    #    [Cache-Control]:                    no-Store,no-Cache
-    #    [Content-Security-Policy]:          default-src 'self'; img-src 'self' data:
-    #    [X-XSS-Protection]:                 1; mode=block
-    #    [X-Content-Type-Options]:           nosniff
-    #    [X-UA-Compatible]:                  IE=11
-    #    [Content-Type]:                     application/json
-    #    [Server]:                           iBMC
-    #    [Date]:                             Tue, 16 Apr 2019 17:49:46 GMT
-    #    [Content-Length]:                   2177
+
+    # [Strict-Transport-Security]:             max-age=31536000; includeSubdomains
+    # [X-Frame-Options]:                       DENY
+    # [Pragma]:                                no-cache
+    # [Cache-Control]:                         no-store, max-age=0
+    # [X-Content-Type-Options]:                nosniff
+    # [Referrer-Policy]:                       no-referrer
+    # [X-Permitted-Cross-Domain-Policies]:     none
+    # [Cross-Origin-Embedder-Policy]:          require-corp
+    # [Cross-Origin-Opener-Policy]:            same-origin
+    # [Cross-Origin-Resource-Policy]:          same-origin
+    # [Content-Security-Policy]:               default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
+    # [Content-Type]:                          application/json
+    # [Content-Length]:                        394
 
     ${headers}=  Key Value List To Dict  ${resp.getheaders()}
     Rprint Vars  headers  fmt=1