net/http: Custom HTTP headers for bad requests (XFO, CSP) #27675
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?go version go1.11 linux/amd64
Does this issue reproduce with the latest release?
Yes, this issue is also present on master.
What operating system and processor architecture are you using (
go env
)?What did you do?
As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.
What did you expect to see?
I'd have expected to have a way to customize those HTTP responses.
What did you see instead?
It's hard-coded in the stdlib.
The text was updated successfully, but these errors were encountered: