/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Custom HTTP headers for bad requests (XFO, CSP) #27675

Open
nono opened this Issue Sep 14, 2018 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Unplanned
3 participants
@nono @agnivade @davecheney
@nono

nono commented Sep 14, 2018

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

Yes, this issue is also present on master.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/nono/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/nono/go"
GOPROXY=""
GORACE=""
GOROOT="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go"
GOTMPDIR=""
GOTOOLDIR="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build734468368=/tmp/go-build -gno-record-gcc-switches"

What did you do?

As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.

What did you expect to see?

I'd have expected to have a way to customize those HTTP responses.

What did you see instead?

It's hard-coded in the stdlib.
@agnivade

This comment has been minimized.

Sign in to view
Member

agnivade commented Sep 14, 2018

/cc @bradfitz

@agnivade agnivade added the NeedsInvestigation label Sep 14, 2018

@agnivade agnivade added this to the Unplanned milestone Sep 14, 2018

@davecheney

This comment has been minimized.

Sign in to view
Contributor

davecheney commented Sep 14, 2018

@nono

This comment has been minimized.

Sign in to view

nono commented Sep 14, 2018

In the issue, I put a link to

go/src/net/http/server.go

Lines 1794 to 1817 in 9f59918

const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n"
if err == errTooLarge {
// Their HTTP client may or may not be
// able to read this if we're
// responding to them and hanging up
// while they're still writing their
// request. Undefined behavior.
const publicErr = "431 Request Header Fields Too Large"
fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
c.closeWriteAndWait()
return
}
if isCommonNetReadError(err) {
return // don't reply
}
publicErr := "400 Bad Request"
if v, ok := err.(badRequestError); ok {
publicErr = publicErr + ": " + string(v)
}
fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
return
. I'd like to have X-Frame-Options and CSP on all the responses, but some are generated by the stdlib. As I understand, they are 400 Bad request and 431 Request Header Fields Too Large. But I may have missed some others. At least, it is easy to trigger the 400 Bad request with a GET /% from an iframe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment