Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Custom HTTP headers for bad requests (XFO, CSP) #27675

Open
nono opened this issue Sep 14, 2018 · 3 comments
Open

net/http: Custom HTTP headers for bad requests (XFO, CSP) #27675

nono opened this issue Sep 14, 2018 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@nono
Copy link

nono commented Sep 14, 2018

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

Yes, this issue is also present on master.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/nono/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/nono/go"
GOPROXY=""
GORACE=""
GOROOT="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go"
GOTMPDIR=""
GOTOOLDIR="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build734468368=/tmp/go-build -gno-record-gcc-switches"

What did you do?

As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.

What did you expect to see?

I'd have expected to have a way to customize those HTTP responses.

What did you see instead?

It's hard-coded in the stdlib.

@agnivade
Copy link
Contributor

/cc @bradfitz

@agnivade agnivade added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 14, 2018
@agnivade agnivade added this to the Unplanned milestone Sep 14, 2018
@davecheney
Copy link
Contributor

davecheney commented Sep 14, 2018 via email

@nono
Copy link
Author

nono commented Sep 14, 2018

In the issue, I put a link to

go/src/net/http/server.go

Lines 1794 to 1817 in 9f59918

const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n"
if err == errTooLarge {
// Their HTTP client may or may not be
// able to read this if we're
// responding to them and hanging up
// while they're still writing their
// request. Undefined behavior.
const publicErr = "431 Request Header Fields Too Large"
fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
c.closeWriteAndWait()
return
}
if isCommonNetReadError(err) {
return // don't reply
}
publicErr := "400 Bad Request"
if v, ok := err.(badRequestError); ok {
publicErr = publicErr + ": " + string(v)
}
fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
return
. I'd like to have X-Frame-Options and CSP on all the responses, but some are generated by the stdlib. As I understand, they are 400 Bad request and 431 Request Header Fields Too Large. But I may have missed some others. At least, it is easy to trigger the 400 Bad request with a GET /% from an iframe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

3 participants