-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broken response with nosurf and gzip middleware #31
Comments
Possible workaround: CSRF.SetFailureHandler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
http.Error(rw, "", http.StatusBadRequest)
})) |
Absolutely. I'm not sure why I implemented the error status manually in the first place. Feel free to submit this change. |
wader
added a commit
to wader/nosurf
that referenced
this issue
Dec 8, 2015
justinas
added a commit
that referenced
this issue
Dec 8, 2015
Use http.Error to also set text/plain content type. Fixes #31
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Chrome, Firefox and Safari does not seem to like the response for a failed token verification when using a gzip middware. Chrome reports "This webpage is not available ERR_INVALID_RESPONSE".
What seems to cause the problem is
Content-Type: application/x-gzip
. In the example this happens because nosurf failure handler does not set any content type and the gzip middleware sets it toapplication/x-gzip
if not set.Have read parts of the HTTP specs but can't really understand if this is a valid response or not. But most browsers does not like it. Would it make sense to change
nosurf.defaultFailureHandler
tohttp.Error(rw, "", http.StatusBadRequest)
instead which will set the content type totext/plain; charset=utf-8
?Or is this a bug in the gzip middleware? it should not have a fallback content type (
Content-Encoding: gzip
is enough)?The text was updated successfully, but these errors were encountered: