Broken response with nosurf and gzip middleware

[wader]

Chrome, Firefox and Safari does not seem to like the response for a failed token verification when using a gzip middware. Chrome reports "This webpage is not available ERR_INVALID_RESPONSE".

What seems to cause the problem is Content-Type: application/x-gzip. In the example this happens because nosurf failure handler does not set any content type and the gzip middleware sets it to application/x-gzip if not set.

Have read parts of the HTTP specs but can't really understand if this is a valid response or not. But most browsers does not like it. Would it make sense to change nosurf.defaultFailureHandler to http.Error(rw, "", http.StatusBadRequest) instead which will set the content type to text/plain; charset=utf-8?

package main

import (
    "net/http"

    "github.com/codegangsta/negroni"
    "github.com/phyber/negroni-gzip/gzip"
)

func main() {
    n := negroni.New()
    n.Use(gzip.Gzip(gzip.DefaultCompression))
    n.UseHandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        // simulate nosurf.defaultFailureHandler
        rw.WriteHeader(http.StatusBadRequest)
    })
    http.ListenAndServe(":3001", n)
}

Or is this a bug in the gzip middleware? it should not have a fallback content type (Content-Encoding: gzip is enough)?

[wader]

Possible workaround:

CSRF.SetFailureHandler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
    http.Error(rw, "", http.StatusBadRequest)
}))

[justinas]

Would it make sense to change nosurf.defaultFailureHandler to http.Error(rw, "", http.StatusBadRequest)

Absolutely. I'm not sure why I implemented the error status manually in the first place. Feel free to submit this change.