Add __Host- prefix, set X-XSS-Protection to 0, require go1.11

This commit is contained in:
Ken-Håvard Lieng 2020-06-25 08:21:16 +02:00
parent d844f6ee1a
commit ca4db66308
6 changed files with 53 additions and 24 deletions

View File

@ -28,7 +28,7 @@ There is a few different ways of getting it:
### 2. Go ### 2. Go
This requires a [Go environment](http://golang.org/doc/install), version 1.10 or greater. This requires a [Go environment](http://golang.org/doc/install), version 1.11 or greater.
Fetch, compile and run dispatch: Fetch, compile and run dispatch:

35
pkg/cookie/cookie.go Normal file
View File

@ -0,0 +1,35 @@
package cookie
import "net/http"
const HostPrefix = "__Host-"
func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie {
cookie.HttpOnly = true
cookie.Secure = r.TLS != nil
if cookie.Path == "" {
cookie.Path = "/"
}
if cookie.Path == "/" && cookie.Secure {
cookie.Name = HostPrefix + cookie.Name
}
if cookie.SameSite == 0 {
cookie.SameSite = http.SameSiteLaxMode
}
return cookie
}
func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) {
http.SetCookie(w, Harden(r, cookie))
}
func Name(r *http.Request, name string) string {
if r.TLS != nil {
return HostPrefix + name
}
return name
}

View File

@ -6,6 +6,8 @@ import (
"net/http" "net/http"
"sync" "sync"
"time" "time"
"github.com/khlieng/dispatch/pkg/cookie"
) )
var ( var (
@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
created := time.Unix(s.createdAt, 0) created := time.Unix(s.createdAt, 0)
s.lock.Unlock() s.lock.Unlock()
cookie := &http.Cookie{ cookie.Set(w, r, &http.Cookie{
Name: CookieName, Name: CookieName,
Value: s.Key(), Value: s.Key(),
Path: "/", Expires: created.Add(Expiration),
Expires: created.Add(Expiration), })
HttpOnly: true,
Secure: r.TLS != nil,
}
if v := cookie.String(); v != "" {
w.Header().Add("Set-Cookie", v+"; SameSite=Lax")
}
} }
func (s *Session) Expired() bool { func (s *Session) Expired() bool {

View File

@ -4,6 +4,7 @@ import (
"log" "log"
"net/http" "net/http"
"github.com/khlieng/dispatch/pkg/cookie"
"github.com/khlieng/dispatch/pkg/session" "github.com/khlieng/dispatch/pkg/session"
"github.com/khlieng/dispatch/storage" "github.com/khlieng/dispatch/storage"
) )
@ -11,7 +12,7 @@ import (
func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State { func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
var state *State var state *State
cookie, err := r.Cookie(session.CookieName) cookie, err := r.Cookie(cookie.Name(r, session.CookieName))
if err != nil { if err != nil {
if createUser { if createUser {
state, err = d.newUser(w, r) state, err = d.newUser(w, r)

View File

@ -17,6 +17,7 @@ import (
"github.com/dsnet/compress/brotli" "github.com/dsnet/compress/brotli"
"github.com/khlieng/dispatch/assets" "github.com/khlieng/dispatch/assets"
"github.com/khlieng/dispatch/pkg/cookie"
"github.com/tdewolff/minify/v2" "github.com/tdewolff/minify/v2"
"github.com/tdewolff/minify/v2/html" "github.com/tdewolff/minify/v2/html"
) )
@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
}, },
} }
cookie, err := r.Cookie("push") cookie, err := r.Cookie(cookie.Name(r, "push"))
if err != nil { if err != nil {
for _, asset := range h2PushAssets { for _, asset := range h2PushAssets {
pusher.Push(asset.path, options) pusher.Push(asset.path, options)
@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", disabledCacheControl) w.Header().Set("Cache-Control", disabledCacheControl)
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-Frame-Options", "deny") w.Header().Set("X-Frame-Options", "deny")
w.Header().Set("X-XSS-Protection", "1; mode=block") w.Header().Set("X-XSS-Protection", "0")
w.Header().Set("Referrer-Policy", "same-origin") w.Header().Set("Referrer-Policy", "same-origin")
if hstsHeader != "" { if hstsHeader != "" {
@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
} }
func setPushCookie(w http.ResponseWriter, r *http.Request) { func setPushCookie(w http.ResponseWriter, r *http.Request) {
http.SetCookie(w, &http.Cookie{ cookie.Set(w, r, &http.Cookie{
Name: "push", Name: "push",
Value: h2PushCookieValue, Value: h2PushCookieValue,
Path: "/", Expires: time.Now().AddDate(1, 0, 0),
Expires: time.Now().AddDate(1, 0, 0),
HttpOnly: true,
Secure: r.TLS != nil,
}) })
} }

View File

@ -69,7 +69,7 @@ func (d *Dispatch) Run() {
go d.identd.Listen() go d.identd.Listen()
} }
session.CookieName = "dispatch" session.CookieName = "sid"
d.states = newStateStore(d.SessionStore) d.states = newStateStore(d.SessionStore)
go d.states.run() go d.states.run()