HTTP Header X-XSS-Protection does not match

[seffparker]

Describe the bug The HTTP header X-XSS-Protection which present does not match, and we have to either match the string X-Xss-Protection or use case-insensitive regex pattern like "/(?i:X-XSS-Protection: 1;mode=block)/"

How To Reproduce Apache conf:

  Header set X-XSS-Protection 1;mode=block

HTTP headers:

# curl -I localhost/index
HTTP/1.1 200 OK
Date: Fri, 13 May 2022 10:48:01 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.29
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Vary: Origin
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Content-Type: application/json

Test rule:

http:
  http://localhost:{{ .Vars.http_port }}/index:
    status: 200
    timeout: 2000
    #method: GET
    headers:
    - "X-XSS-Protection: 1;mode=block"

Expected Behavior Test passed.

Actual Behavior

.F..

Failures/Skipped:

HTTP: http://localhost:80/index: Headers: patterns not found: [X-XSS-Protection: 1;mode=block]

Total Duration: 0.044s
Count: 4, Failed: 1, Skipped: 0

Environment:

• goss v0.3.16
• Ubuntu 20

[ekelali]

Since http headers are case insentive, would it be more clear if Goss just lowercased it?

The yaml test file would have to be lowercase, but the challenge of guessing how Go mutates the headers would be gone.

[aelsabbahy]

Leaving this open. Making everything lowercase does fix the issue to some degree, but it is a breaking change for all existing users.

The challenge is go mutates the headers. I wonder if there's a way to skip that.. :thinking: