agnivade
commented
6 years ago /cc @bradfitz
Open nono opened 6 years ago
agnivade
commented
6 years ago /cc @bradfitz
davecheney
commented
6 years ago Some HTTP responses are generated by the stdlib and cannot be modified.
Which http responses? Can you be specific?
On 14 Sep 2018, at 18:54, Agniva De Sarker notifications@github.com wrote:
/cc @bradfitz
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
nono
commented
6 years ago In the issue, I put a link to https://github.com/golang/go/blob/9f59918cae5eb23fdf0135b77280907365b52069/src/net/http/server.go#L1794-L1817. I'd like to have X-Frame-Options and CSP on all the responses, but some are generated by the stdlib. As I understand, they are 400 Bad request and 431 Request Header Fields Too Large. But I may have missed some others. At least, it is easy to trigger the 400 Bad request with a GET /% from an iframe.
What version of Go are you using (
go version)?go version go1.11 linux/amd64Does this issue reproduce with the latest release?
Yes, this issue is also present on master.
What operating system and processor architecture are you using (
go env)?What did you do?
As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.
What did you expect to see?
I'd have expected to have a way to customize those HTTP responses.
What did you see instead?
It's hard-coded in the stdlib.