Don't block access to content from /.well-known/

The `/.well-known/` directory represents the standard path prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, `/.well-known/keybase.txt`), and therefore, access to its visible content should not be blocked. Ref: http://tools.ietf.org/html/rfc5785 https://www.mnot.net/blog/2010/04/07/well-known Close #31.
h5bp · Jun 2, 2014 · 04785b7 · 04785b7
1 parent 456b531
commit 04785b7
Show file tree

Hide file tree

Showing 8 changed files with 145 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,8 @@
 ### HEAD
 
-* Forbid access to `.conf` files
+* Don't block access to the content from within the `/.well-known/` directory
+  [[#31](https://github.com/h5bp/server-configs-apache/issues/31)].
+* Forbid access to `.conf` files.
 * Add the `no-transform` value to the `Cache-Control` HTTP response header
   without overwriting the existing value.
 * Add `cur`, `ico`, `svg`, `svgz` and `webp` to the filename-based cache

diff --git a/src/.htaccess b/src/.htaccess
@@ -324,6 +324,7 @@ AddDefaultCharset utf-8
 # ------------------------------------------------------------------------------
 
 # Block access to directories without a default document.
+
 # You should leave the following uncommented, as you shouldn't allow anyone to
 # surf through every directory on your server (which may includes rather private
 # places such as the CMS's directories).
@@ -334,10 +335,23 @@ AddDefaultCharset utf-8
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-# Block access to hidden files and directories.
-# This includes directories used by version control systems such as Git and SVN.
+# Block access to all hidden files and directories with the exception of the
+# visible content from within the `/.well-known/` hidden directory.
+
+# These types of files usually contain user preferences or the preserved state
+# of an utility, and can include rather private places like, for example, the
+# `.git` or `.svn` directories.
+
+# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
+# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible content
+# should not be blocked.
+
+# https://www.mnot.net/blog/2010/04/07/well-known
+# http://tools.ietf.org/html/rfc5785
 
 <IfModule mod_rewrite.c>
+    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
     RewriteCond %{SCRIPT_FILENAME} -d [OR]
     RewriteCond %{SCRIPT_FILENAME} -f
     RewriteRule "(^|/)\." - [F]

diff --git a/test/fixtures/content/.htaccess b/test/fixtures/content/.htaccess
@@ -334,10 +334,23 @@ AddDefaultCharset utf-8
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-# Block access to hidden files and directories.
-# This includes directories used by version control systems such as Git and SVN.
+# Block access to all hidden files and directories with the exception of the
+# visible content from within the `/.well-known/` hidden directory.
+
+# These types of files usually contain user preferences or the preserved state
+# of an utility, and can include rather private places like, for example, the
+# `.git` or `.svn` directories.
+
+# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
+# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible content
+# should not be blocked.
+
+# https://www.mnot.net/blog/2010/04/07/well-known
+# http://tools.ietf.org/html/rfc5785
 
 <IfModule mod_rewrite.c>
+    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
     RewriteCond %{SCRIPT_FILENAME} -d [OR]
     RewriteCond %{SCRIPT_FILENAME} -f
     RewriteRule "(^|/)\." - [F]

diff --git a/test/fixtures/content/.well-known/.hidden_directory/test.html b/test/fixtures/content/.well-known/.hidden_directory/test.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>test</title>
+</head>
+<body>
+    test
+</body>
+</html>
diff --git a/test/fixtures/content/.well-known/manifest.json b/test/fixtures/content/.well-known/manifest.json
@@ -0,0 +1,17 @@
+{
+    "name": "test",
+    "icons": [{
+        "src": "icon/lowres",
+        "sizes": "64x64",
+        "type": "image/webp"
+    }, {
+        "src": "icon/hd_small",
+        "sizes": "64x64"
+    }, {
+        "src": "icon/hd_hi",
+        "sizes": "128x128"
+    }],
+    "start_url": "/start.html",
+    "display": "fullscreen",
+    "orientation": "landscape"
+}
diff --git a/test/fixtures/content/.well-known/test/.hidden_directory/test.html b/test/fixtures/content/.well-known/test/.hidden_directory/test.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>test</title>
+</head>
+<body>
+    test
+</body>
+</html>
diff --git a/test/fixtures/content/.well-known/test/test.html b/test/fixtures/content/.well-known/test/test.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>test</title>
+</head>
+<body>
+    test
+</body>
+</html>
diff --git a/test/test.js b/test/test.js
@@ -526,14 +526,76 @@ var tests = [
     },
 
     {
-        description: 'Test if access is forbidden to hidden files and directories',
+        description: 'Test if access is forbidden to hidden files and directories with the exception of the visible content from within the `/.well-known/` hidden directory',
         files: {
 
             '.hidden_file': {
                 statusCode: 403
             },
 
-            '.hidden_directory': {
+            '.hidden_directory/': {
+                statusCode: 403
+            },
+
+            '.well-known/': {
+                statusCode: 403
+            },
+
+            '.well-known/manifest.json': {
+                content:
+                    '{\n' +
+                    '    "name": "test",\n' +
+                    '    "icons": [{\n' +
+                    '        "src": "icon/lowres",\n' +
+                    '        "sizes": "64x64",\n' +
+                    '        "type": "image/webp"\n' +
+                    '    }, {\n' +
+                    '        "src": "icon/hd_small",\n' +
+                    '        "sizes": "64x64"\n' +
+                    '    }, {\n' +
+                    '        "src": "icon/hd_hi",\n' +
+                    '        "sizes": "128x128"\n' +
+                    '    }],\n' +
+                    '    "start_url": "/start.html",\n' +
+                    '    "display": "fullscreen",\n' +
+                    '    "orientation": "landscape"\n' +
+                    '}\n',
+                requestHeaders: {}
+
+            },
+
+            '.well-known/.hidden_directory/': {
+                statusCode: 403
+            },
+
+            '.well-known/.hidden_directory/test.html': {
+                statusCode: 403
+            },
+
+            '.well-known/test/': {
+                statusCode: 403
+            },
+
+            '.well-known/test/test.html': {
+                content:
+                    '<!doctype html>\n' +
+                    '<html lang="en">\n' +
+                    '<head>\n' +
+                    '    <meta charset="utf-8">\n' +
+                    '    <title>test</title>\n' +
+                    '</head>\n' +
+                    '<body>\n' +
+                    '    test\n' +
+                    '</body>\n' +
+                    '</html>\n',
+                requestHeaders: {}
+            },
+
+            '.well-known/test/.hidden_directory/': {
+                statusCode: 403
+            },
+
+            '.well-known/test/.hidden_directory/test.html': {
                 statusCode: 403
             }