Add __Host- prefix, set X-XSS-Protection to 0, require go1.11
This commit is contained in:
parent
d844f6ee1a
commit
ca4db66308
@ -28,7 +28,7 @@ There is a few different ways of getting it:
|
||||
|
||||
### 2. Go
|
||||
|
||||
This requires a [Go environment](http://golang.org/doc/install), version 1.10 or greater.
|
||||
This requires a [Go environment](http://golang.org/doc/install), version 1.11 or greater.
|
||||
|
||||
Fetch, compile and run dispatch:
|
||||
|
||||
|
35
pkg/cookie/cookie.go
Normal file
35
pkg/cookie/cookie.go
Normal file
@ -0,0 +1,35 @@
|
||||
package cookie
|
||||
|
||||
import "net/http"
|
||||
|
||||
const HostPrefix = "__Host-"
|
||||
|
||||
func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie {
|
||||
cookie.HttpOnly = true
|
||||
cookie.Secure = r.TLS != nil
|
||||
|
||||
if cookie.Path == "" {
|
||||
cookie.Path = "/"
|
||||
}
|
||||
|
||||
if cookie.Path == "/" && cookie.Secure {
|
||||
cookie.Name = HostPrefix + cookie.Name
|
||||
}
|
||||
|
||||
if cookie.SameSite == 0 {
|
||||
cookie.SameSite = http.SameSiteLaxMode
|
||||
}
|
||||
|
||||
return cookie
|
||||
}
|
||||
|
||||
func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) {
|
||||
http.SetCookie(w, Harden(r, cookie))
|
||||
}
|
||||
|
||||
func Name(r *http.Request, name string) string {
|
||||
if r.TLS != nil {
|
||||
return HostPrefix + name
|
||||
}
|
||||
return name
|
||||
}
|
@ -6,6 +6,8 @@ import (
|
||||
"net/http"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/khlieng/dispatch/pkg/cookie"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
|
||||
created := time.Unix(s.createdAt, 0)
|
||||
s.lock.Unlock()
|
||||
|
||||
cookie := &http.Cookie{
|
||||
cookie.Set(w, r, &http.Cookie{
|
||||
Name: CookieName,
|
||||
Value: s.Key(),
|
||||
Path: "/",
|
||||
Expires: created.Add(Expiration),
|
||||
HttpOnly: true,
|
||||
Secure: r.TLS != nil,
|
||||
}
|
||||
|
||||
if v := cookie.String(); v != "" {
|
||||
w.Header().Add("Set-Cookie", v+"; SameSite=Lax")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func (s *Session) Expired() bool {
|
||||
|
@ -4,6 +4,7 @@ import (
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"github.com/khlieng/dispatch/pkg/cookie"
|
||||
"github.com/khlieng/dispatch/pkg/session"
|
||||
"github.com/khlieng/dispatch/storage"
|
||||
)
|
||||
@ -11,7 +12,7 @@ import (
|
||||
func (d *Dispatch) handleAuth(w http.ResponseWriter, r *http.Request, createUser, refresh bool) *State {
|
||||
var state *State
|
||||
|
||||
cookie, err := r.Cookie(session.CookieName)
|
||||
cookie, err := r.Cookie(cookie.Name(r, session.CookieName))
|
||||
if err != nil {
|
||||
if createUser {
|
||||
state, err = d.newUser(w, r)
|
||||
|
@ -17,6 +17,7 @@ import (
|
||||
|
||||
"github.com/dsnet/compress/brotli"
|
||||
"github.com/khlieng/dispatch/assets"
|
||||
"github.com/khlieng/dispatch/pkg/cookie"
|
||||
"github.com/tdewolff/minify/v2"
|
||||
"github.com/tdewolff/minify/v2/html"
|
||||
)
|
||||
@ -261,7 +262,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
||||
},
|
||||
}
|
||||
|
||||
cookie, err := r.Cookie("push")
|
||||
cookie, err := r.Cookie(cookie.Name(r, "push"))
|
||||
if err != nil {
|
||||
for _, asset := range h2PushAssets {
|
||||
pusher.Push(asset.path, options)
|
||||
@ -313,7 +314,7 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Cache-Control", disabledCacheControl)
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("X-Frame-Options", "deny")
|
||||
w.Header().Set("X-XSS-Protection", "1; mode=block")
|
||||
w.Header().Set("X-XSS-Protection", "0")
|
||||
w.Header().Set("Referrer-Policy", "same-origin")
|
||||
|
||||
if hstsHeader != "" {
|
||||
@ -334,13 +335,10 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func setPushCookie(w http.ResponseWriter, r *http.Request) {
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
cookie.Set(w, r, &http.Cookie{
|
||||
Name: "push",
|
||||
Value: h2PushCookieValue,
|
||||
Path: "/",
|
||||
Expires: time.Now().AddDate(1, 0, 0),
|
||||
HttpOnly: true,
|
||||
Secure: r.TLS != nil,
|
||||
})
|
||||
}
|
||||
|
||||
|
@ -69,7 +69,7 @@ func (d *Dispatch) Run() {
|
||||
go d.identd.Listen()
|
||||
}
|
||||
|
||||
session.CookieName = "dispatch"
|
||||
session.CookieName = "sid"
|
||||
|
||||
d.states = newStateStore(d.SessionStore)
|
||||
go d.states.run()
|
||||
|
Loading…
Reference in New Issue
Block a user