diff --git a/README.md b/README.md index 808136ab..4161357d 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ There is a few different ways of getting it: ### 2. Go -This requires a [Go environment](http://golang.org/doc/install), version 1.10 or greater. +This requires a [Go environment](http://golang.org/doc/install), version 1.11 or greater. Fetch, compile and run dispatch: diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go new file mode 100644 index 00000000..7a370f6c --- /dev/null +++ b/pkg/cookie/cookie.go @@ -0,0 +1,35 @@ +package cookie + +import "net/http" + +const HostPrefix = "__Host-" + +func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie { + cookie.HttpOnly = true + cookie.Secure = r.TLS != nil + + if cookie.Path == "" { + cookie.Path = "/" + } + + if cookie.Path == "/" && cookie.Secure { + cookie.Name = HostPrefix + cookie.Name + } + + if cookie.SameSite == 0 { + cookie.SameSite = http.SameSiteLaxMode + } + + return cookie +} + +func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) { + http.SetCookie(w, Harden(r, cookie)) +} + +func Name(r *http.Request, name string) string { + if r.TLS != nil { + return HostPrefix + name + } + return name +} diff --git a/pkg/session/session.go b/pkg/session/session.go index 22409176..21ac3740 100644 --- a/pkg/session/session.go +++ b/pkg/session/session.go @@ -6,6 +6,8 @@ import ( "net/http" "sync" "time" + + "github.com/khlieng/dispatch/pkg/cookie" ) var ( @@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) { created := time.Unix(s.createdAt, 0) s.lock.Unlock() - cookie := &http.Cookie{ - Name: CookieName, - Value: s.Key(), - Path: "/", - Expires: created.Add(Expiration), - HttpOnly: true, - Secure: r.TLS != nil, - } - - if v := cookie.String(); v != "" { - w.Header().Add("Set-Cookie", v+"; SameSite=Lax") - } + cookie.Set(w, r, &http.Cookie{ + Name: CookieName, + Value: s.Key(), + Expires: created.Add(Expiration), + }) } func (s *Session) Expired() bool { diff --git a/server/auth.go b/server/auth.go index 4b99d7e8..e6277571 100644 --- a/server/auth.go +++ b/server/auth.go @@ -4,6 +4,7 @@ import ( "log" "net/http" + "github.com/khlieng/dispatch/pkg/cookie" "github.com/khlieng/dispatch/pkg/session" "github.com/khlieng/dispatch/storage" ) @@ -11,7 +12,7 @@ import ( func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State { var state *State - cookie, err := r.Cookie(session.CookieName) + cookie, err := r.Cookie(cookie.Name(r, session.CookieName)) if err != nil { if createUser { state, err = d.newUser(w, r) diff --git a/server/serve_files.go b/server/serve_files.go index c3a3e873..4c1bc91d 100644 --- a/server/serve_files.go +++ b/server/serve_files.go @@ -17,6 +17,7 @@ import ( "github.com/dsnet/compress/brotli" "github.com/khlieng/dispatch/assets" + "github.com/khlieng/dispatch/pkg/cookie" "github.com/tdewolff/minify/v2" "github.com/tdewolff/minify/v2/html" ) @@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) { }, } - cookie, err := r.Cookie("push") + cookie, err := r.Cookie(cookie.Name(r, "push")) if err != nil { for _, asset := range h2PushAssets { pusher.Push(asset.path, options) @@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) { w.Header().Set("Cache-Control", disabledCacheControl) w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Frame-Options", "deny") - w.Header().Set("X-XSS-Protection", "1; mode=block") + w.Header().Set("X-XSS-Protection", "0") w.Header().Set("Referrer-Policy", "same-origin") if hstsHeader != "" { @@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) { } func setPushCookie(w http.ResponseWriter, r *http.Request) { - http.SetCookie(w, &http.Cookie{ - Name: "push", - Value: h2PushCookieValue, - Path: "/", - Expires: time.Now().AddDate(1, 0, 0), - HttpOnly: true, - Secure: r.TLS != nil, + cookie.Set(w, r, &http.Cookie{ + Name: "push", + Value: h2PushCookieValue, + Expires: time.Now().AddDate(1, 0, 0), }) } diff --git a/server/server.go b/server/server.go index e6ac8ce8..fb8df56f 100644 --- a/server/server.go +++ b/server/server.go @@ -69,7 +69,7 @@ func (d *Dispatch) Run() { go d.identd.Listen() } - session.CookieName = "dispatch" + session.CookieName = "sid" d.states = newStateStore(d.SessionStore) go d.states.run()