chore: update reva to latest edge

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go

@@ -131,7 +131,19 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ
 	}
 	defer httpRes.Body.Close()
 
-	copyHeader(w.Header(), httpRes.Header)
+	// copy only the headers relevant for the content served by the datagateway
+	// more headers are already present from the GET request
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentType)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentLength)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentRange)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCFileID)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCETag)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderOCChecksum)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderETag)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderLastModified)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderAcceptRanges)
+	copyHeader(w.Header(), httpRes.Header, net.HeaderContentDisposistion)
+
 	w.WriteHeader(httpRes.StatusCode)
 
 	if httpRes.StatusCode != http.StatusOK && httpRes.StatusCode != http.StatusPartialContent {
@@ -156,11 +168,9 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ
 	// TODO we need to send the If-Match etag in the GET to the datagateway to prevent race conditions between stating and reading the file
 }
 
-func copyHeader(dst, src http.Header) {
-	for key, values := range src {
-		for i := range values {
-			dst.Add(key, values[i])
-		}
+func copyHeader(dist, src http.Header, header string) {
+	if src.Get(header) != "" {
+		dist.Set(header, src.Get(header))
 	}
 }
 

vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go

@@ -165,8 +165,6 @@ func (s *svc) Handler() http.Handler {
 		ctx := r.Context()
 		log := appctx.GetLogger(ctx)
 
-		addAccessHeaders(w, r)
-
 		// TODO(jfd): do we need this?
 		// fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89
 		if r.Header.Get(net.HeaderLitmus) == "props: 3 (propfind_invalid2)" {
@@ -284,28 +282,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool
 	return templates.WithUser(u, ns), requestPath, nil
 }
 
-func addAccessHeaders(w http.ResponseWriter, r *http.Request) {
-	headers := w.Header()
-	// all resources served via the DAV endpoint should have the strictest possible as default
-	headers.Set("Content-Security-Policy", "default-src 'none';")
-	// disable sniffing the content type for IE
-	headers.Set("X-Content-Type-Options", "nosniff")
-	// https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
-	headers.Set("X-Download-Options", "noopen")
-	// Disallow iFraming from other domains
-	headers.Set("X-Frame-Options", "SAMEORIGIN")
-	// https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
-	headers.Set("X-Permitted-Cross-Domain-Policies", "none")
-	// https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-	headers.Set("X-Robots-Tag", "none")
-	// enforce browser based XSS filters
-	headers.Set("X-XSS-Protection", "1; mode=block")
-
-	if r.TLS != nil {
-		headers.Set("Strict-Transport-Security", "max-age=63072000")
-	}
-}
-
 func authContextForUser(client gateway.GatewayAPIClient, userID *userpb.UserId, machineAuthAPIKey string) (context.Context, error) {
 	if machineAuthAPIKey == "" {
 		return nil, errtypes.NotSupported("machine auth not configured")