net/http: Custom HTTP headers for bad requests (XFO, CSP)

[nono]

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

Yes, this issue is also present on master.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/nono/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/nono/go"
GOPROXY=""
GORACE=""
GOROOT="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go"
GOTMPDIR=""
GOTOOLDIR="/nix/store/dana4hagc62f8ylf57rci90d5frgzigk-go-1.11/share/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build734468368=/tmp/go-build -gno-record-gcc-switches"

What did you do?

As explained on https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa?gi=49139effcdd4, it's possible to bypasse Content-Security-Policy by using an iframe to an error page. So, I'd like to add the security headers to all the error pages (X-Frame-Options and Content-Security-Policy). Some HTTP responses are generated by the stdlib and cannot be modified.

What did you expect to see?

I'd have expected to have a way to customize those HTTP responses.

What did you see instead?

It's hard-coded in the stdlib.

[agnivade]

/cc @bradfitz

[davecheney]

Some HTTP responses are generated by the stdlib and cannot be modified.

Which http responses? Can you be specific?

…

On 14 Sep 2018, at 18:54, Agniva De Sarker ***@***.***> wrote: /cc @bradfitz — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[nono]

In the issue, I put a link to

go/src/net/http/server.go

Lines 1794 to 1817 in 9f59918

	const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n"
	if err == errTooLarge {
	// Their HTTP client may or may not be
	// able to read this if we're
	// responding to them and hanging up
	// while they're still writing their
	// request. Undefined behavior.
	const publicErr = "431 Request Header Fields Too Large"
	fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
	c.closeWriteAndWait()
	return
	}
	if isCommonNetReadError(err) {
	return // don't reply
	}
	publicErr := "400 Bad Request"
	if v, ok := err.(badRequestError); ok {
	publicErr = publicErr + ": " + string(v)
	}
	fmt.Fprintf(c.rwc, "HTTP/1.1 "+publicErr+errorHeaders+publicErr)
	return

. I'd like to have X-Frame-Options and CSP on all the responses, but some are generated by the stdlib. As I understand, they are 400 Bad request and 431 Request Header Fields Too Large. But I may have missed some others. At least, it is easy to trigger the 400 Bad request with a GET /% from an iframe.