Add __Host- prefix, set X-XSS-Protection to 0, require go1.11

2020-06-25 08:21:16 +02:00 · 2020-06-25 08:21:16 +02:00 · ca4db66308
commit ca4db66308
parent d844f6ee1a
6 changed files with 53 additions and 24 deletions
--- a/server/auth.go
+++ b/server/auth.go
@ -4,6 +4,7 @@ import (
 	"log"
 	"net/http"

+	"github.com/khlieng/dispatch/pkg/cookie"
 	"github.com/khlieng/dispatch/pkg/session"
 	"github.com/khlieng/dispatch/storage"
 )
@ -11,7 +12,7 @@ import (
 func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
 	var state *State

-	cookie, err := r.Cookie(session.CookieName)
+	cookie, err := r.Cookie(cookie.Name(r, session.CookieName))
 	if err != nil {
 		if createUser {
 			state, err = d.newUser(w, r)
--- a/server/serve_files.go
+++ b/server/serve_files.go
@ -17,6 +17,7 @@ import (

 	"github.com/dsnet/compress/brotli"
 	"github.com/khlieng/dispatch/assets"
+	"github.com/khlieng/dispatch/pkg/cookie"
 	"github.com/tdewolff/minify/v2"
 	"github.com/tdewolff/minify/v2/html"
 )
@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 			},
 		}

-		cookie, err := r.Cookie("push")
+		cookie, err := r.Cookie(cookie.Name(r, "push"))
 		if err != nil {
 			for _, asset := range h2PushAssets {
 				pusher.Push(asset.path, options)
@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Cache-Control", disabledCacheControl)
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("X-Frame-Options", "deny")
-	w.Header().Set("X-XSS-Protection", "1; mode=block")
+	w.Header().Set("X-XSS-Protection", "0")
 	w.Header().Set("Referrer-Policy", "same-origin")

 	if hstsHeader != "" {
@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 }

 func setPushCookie(w http.ResponseWriter, r *http.Request) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     "push",
-		Value:    h2PushCookieValue,
-		Path:     "/",
-		Expires:  time.Now().AddDate(1, 0, 0),
-		HttpOnly: true,
-		Secure:   r.TLS != nil,
+	cookie.Set(w, r, &http.Cookie{
+		Name:    "push",
+		Value:   h2PushCookieValue,
+		Expires: time.Now().AddDate(1, 0, 0),
 	})
 }

--- a/server/server.go
+++ b/server/server.go
@ -69,7 +69,7 @@ func (d *Dispatch) Run() {
 		go d.identd.Listen()
 	}

-	session.CookieName = "dispatch"
+	session.CookieName = "sid"

 	d.states = newStateStore(d.SessionStore)
 	go d.states.run()