Add __Host- prefix, set X-XSS-Protection to 0, require go1.11

README.md

@@ -28,7 +28,7 @@ There is a few different ways of getting it:
 
 ### 2. Go
 
-This requires a [Go environment](http://golang.org/doc/install), version 1.10 or greater.
+This requires a [Go environment](http://golang.org/doc/install), version 1.11 or greater.
 
 Fetch, compile and run dispatch:
 

pkg/cookie/cookie.go

@@ -0,0 +1,35 @@
+package cookie
+
+import "net/http"
+
+const HostPrefix = "__Host-"
+
+func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie {
+	cookie.HttpOnly = true
+	cookie.Secure = r.TLS != nil
+
+	if cookie.Path == "" {
+		cookie.Path = "/"
+	}
+
+	if cookie.Path == "/" && cookie.Secure {
+		cookie.Name = HostPrefix + cookie.Name
+	}
+
+	if cookie.SameSite == 0 {
+		cookie.SameSite = http.SameSiteLaxMode
+	}
+
+	return cookie
+}
+
+func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) {
+	http.SetCookie(w, Harden(r, cookie))
+}
+
+func Name(r *http.Request, name string) string {
+	if r.TLS != nil {
+		return HostPrefix + name
+	}
+	return name
+}

pkg/session/session.go

@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	"github.com/khlieng/dispatch/pkg/cookie"
 )
 
 var (
@@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
 	created := time.Unix(s.createdAt, 0)
 	s.lock.Unlock()
 
-	cookie := &http.Cookie{
+	cookie.Set(w, r, &http.Cookie{
 		Name:    CookieName,
 		Value:   s.Key(),
-		Path:     "/",
 		Expires: created.Add(Expiration),
-		HttpOnly: true,
+	})
-		Secure:   r.TLS != nil,
-	}
-
-	if v := cookie.String(); v != "" {
-		w.Header().Add("Set-Cookie", v+"; SameSite=Lax")
-	}
 }
 
 func (s *Session) Expired() bool {

server/auth.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"net/http"
 
+	"github.com/khlieng/dispatch/pkg/cookie"
 	"github.com/khlieng/dispatch/pkg/session"
 	"github.com/khlieng/dispatch/storage"
 )
@@ -11,7 +12,7 @@ import (
 func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
 	var state *State
 
-	cookie, err := r.Cookie(session.CookieName)
+	cookie, err := r.Cookie(cookie.Name(r, session.CookieName))
 	if err != nil {
 		if createUser {
 			state, err = d.newUser(w, r)

server/serve_files.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/dsnet/compress/brotli"
 	"github.com/khlieng/dispatch/assets"
+	"github.com/khlieng/dispatch/pkg/cookie"
 	"github.com/tdewolff/minify/v2"
 	"github.com/tdewolff/minify/v2/html"
 )
@@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 			},
 		}
 
-		cookie, err := r.Cookie("push")
+		cookie, err := r.Cookie(cookie.Name(r, "push"))
 		if err != nil {
 			for _, asset := range h2PushAssets {
 				pusher.Push(asset.path, options)
@@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Cache-Control", disabledCacheControl)
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("X-Frame-Options", "deny")
-	w.Header().Set("X-XSS-Protection", "1; mode=block")
+	w.Header().Set("X-XSS-Protection", "0")
 	w.Header().Set("Referrer-Policy", "same-origin")
 
 	if hstsHeader != "" {
@@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 }
 
 func setPushCookie(w http.ResponseWriter, r *http.Request) {
-	http.SetCookie(w, &http.Cookie{
+	cookie.Set(w, r, &http.Cookie{
 		Name:    "push",
 		Value:   h2PushCookieValue,
-		Path:     "/",
 		Expires: time.Now().AddDate(1, 0, 0),
-		HttpOnly: true,
-		Secure:   r.TLS != nil,
 	})
 }
 

server/server.go

@@ -69,7 +69,7 @@ func (d *Dispatch) Run() {
 		go d.identd.Listen()
 	}
 
-	session.CookieName = "dispatch"
+	session.CookieName = "sid"
 
 	d.states = newStateStore(d.SessionStore)
 	go d.states.run()