Closed as not planned
Description
What version of Go are you using (go version
)?
go version go1.11 linux/amd64
Does this issue reproduce with the latest release?
Yes, this issue is also present on master.
What operating system and processor architecture are you using (go env
)?
GOARCH="amd64" GOBIN="" GOCACHE="/home/nono/.cache/go-build" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOOS="linux" GOPATH="/home/nono/go" GOPROXY="" GORACE="" GOROOT="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go" GOTMPDIR="" GOTOOLDIR="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go/pkg/tool/linux_amd64" GCCGO="gccgo" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build734468368=/tmp/go-build -gno-record-gcc-switches"
What did you do?
As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.
What did you expect to see?
I'd have expected to have a way to customize those HTTP responses.
What did you see instead?
It's hard-coded in the stdlib.