Add __Host- prefix, set X-XSS-Protection to 0, require go1.11
This commit is contained in:
parent
d844f6ee1a
commit
ca4db66308
@ -28,7 +28,7 @@ There is a few different ways of getting it:
|
|||||||
|
|
||||||
### 2. Go
|
### 2. Go
|
||||||
|
|
||||||
This requires a [Go environment](http://golang.org/doc/install), version 1.10 or greater.
|
This requires a [Go environment](http://golang.org/doc/install), version 1.11 or greater.
|
||||||
|
|
||||||
Fetch, compile and run dispatch:
|
Fetch, compile and run dispatch:
|
||||||
|
|
||||||
|
35
pkg/cookie/cookie.go
Normal file
35
pkg/cookie/cookie.go
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
package cookie
|
||||||
|
|
||||||
|
import "net/http"
|
||||||
|
|
||||||
|
const HostPrefix = "__Host-"
|
||||||
|
|
||||||
|
func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie {
|
||||||
|
cookie.HttpOnly = true
|
||||||
|
cookie.Secure = r.TLS != nil
|
||||||
|
|
||||||
|
if cookie.Path == "" {
|
||||||
|
cookie.Path = "/"
|
||||||
|
}
|
||||||
|
|
||||||
|
if cookie.Path == "/" && cookie.Secure {
|
||||||
|
cookie.Name = HostPrefix + cookie.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
if cookie.SameSite == 0 {
|
||||||
|
cookie.SameSite = http.SameSiteLaxMode
|
||||||
|
}
|
||||||
|
|
||||||
|
return cookie
|
||||||
|
}
|
||||||
|
|
||||||
|
func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) {
|
||||||
|
http.SetCookie(w, Harden(r, cookie))
|
||||||
|
}
|
||||||
|
|
||||||
|
func Name(r *http.Request, name string) string {
|
||||||
|
if r.TLS != nil {
|
||||||
|
return HostPrefix + name
|
||||||
|
}
|
||||||
|
return name
|
||||||
|
}
|
@ -6,6 +6,8 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/khlieng/dispatch/pkg/cookie"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
|
|||||||
created := time.Unix(s.createdAt, 0)
|
created := time.Unix(s.createdAt, 0)
|
||||||
s.lock.Unlock()
|
s.lock.Unlock()
|
||||||
|
|
||||||
cookie := &http.Cookie{
|
cookie.Set(w, r, &http.Cookie{
|
||||||
Name: CookieName,
|
Name: CookieName,
|
||||||
Value: s.Key(),
|
Value: s.Key(),
|
||||||
Path: "/",
|
Expires: created.Add(Expiration),
|
||||||
Expires: created.Add(Expiration),
|
})
|
||||||
HttpOnly: true,
|
|
||||||
Secure: r.TLS != nil,
|
|
||||||
}
|
|
||||||
|
|
||||||
if v := cookie.String(); v != "" {
|
|
||||||
w.Header().Add("Set-Cookie", v+"; SameSite=Lax")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Session) Expired() bool {
|
func (s *Session) Expired() bool {
|
||||||
|
@ -4,6 +4,7 @@ import (
|
|||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/khlieng/dispatch/pkg/cookie"
|
||||||
"github.com/khlieng/dispatch/pkg/session"
|
"github.com/khlieng/dispatch/pkg/session"
|
||||||
"github.com/khlieng/dispatch/storage"
|
"github.com/khlieng/dispatch/storage"
|
||||||
)
|
)
|
||||||
@ -11,7 +12,7 @@ import (
|
|||||||
func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
|
func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
|
||||||
var state *State
|
var state *State
|
||||||
|
|
||||||
cookie, err := r.Cookie(session.CookieName)
|
cookie, err := r.Cookie(cookie.Name(r, session.CookieName))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if createUser {
|
if createUser {
|
||||||
state, err = d.newUser(w, r)
|
state, err = d.newUser(w, r)
|
||||||
|
@ -17,6 +17,7 @@ import (
|
|||||||
|
|
||||||
"github.com/dsnet/compress/brotli"
|
"github.com/dsnet/compress/brotli"
|
||||||
"github.com/khlieng/dispatch/assets"
|
"github.com/khlieng/dispatch/assets"
|
||||||
|
"github.com/khlieng/dispatch/pkg/cookie"
|
||||||
"github.com/tdewolff/minify/v2"
|
"github.com/tdewolff/minify/v2"
|
||||||
"github.com/tdewolff/minify/v2/html"
|
"github.com/tdewolff/minify/v2/html"
|
||||||
)
|
)
|
||||||
@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
cookie, err := r.Cookie("push")
|
cookie, err := r.Cookie(cookie.Name(r, "push"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
for _, asset := range h2PushAssets {
|
for _, asset := range h2PushAssets {
|
||||||
pusher.Push(asset.path, options)
|
pusher.Push(asset.path, options)
|
||||||
@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
|||||||
w.Header().Set("Cache-Control", disabledCacheControl)
|
w.Header().Set("Cache-Control", disabledCacheControl)
|
||||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||||
w.Header().Set("X-Frame-Options", "deny")
|
w.Header().Set("X-Frame-Options", "deny")
|
||||||
w.Header().Set("X-XSS-Protection", "1; mode=block")
|
w.Header().Set("X-XSS-Protection", "0")
|
||||||
w.Header().Set("Referrer-Policy", "same-origin")
|
w.Header().Set("Referrer-Policy", "same-origin")
|
||||||
|
|
||||||
if hstsHeader != "" {
|
if hstsHeader != "" {
|
||||||
@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func setPushCookie(w http.ResponseWriter, r *http.Request) {
|
func setPushCookie(w http.ResponseWriter, r *http.Request) {
|
||||||
http.SetCookie(w, &http.Cookie{
|
cookie.Set(w, r, &http.Cookie{
|
||||||
Name: "push",
|
Name: "push",
|
||||||
Value: h2PushCookieValue,
|
Value: h2PushCookieValue,
|
||||||
Path: "/",
|
Expires: time.Now().AddDate(1, 0, 0),
|
||||||
Expires: time.Now().AddDate(1, 0, 0),
|
|
||||||
HttpOnly: true,
|
|
||||||
Secure: r.TLS != nil,
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -69,7 +69,7 @@ func (d *Dispatch) Run() {
|
|||||||
go d.identd.Listen()
|
go d.identd.Listen()
|
||||||
}
|
}
|
||||||
|
|
||||||
session.CookieName = "dispatch"
|
session.CookieName = "sid"
|
||||||
|
|
||||||
d.states = newStateStore(d.SessionStore)
|
d.states = newStateStore(d.SessionStore)
|
||||||
go d.states.run()
|
go d.states.run()
|
||||||
|
Loading…
Reference in New Issue
Block a user