Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Dynamic Csp nonce 1. Package level Nonce function to return nonce associated with the present request wuing the context package added in Go 1.7 2. Transparent implementaion using the text/template package for nonce in csp * Travis Changes * Removed byte size setting, defaults to 16, changed Nonce function to CSP Nonce, Using cryto/rand reader to generate nonce * Review Changes * Changed all CSP Nonce related code a separeate file * Removed the shallow copy *r = *r.WithContext() * Updated tests with the new changes * Added withCSPNonce functions * Renamed CSP related fucntions and variables to explicitly start with CSP * Improved Error Message, Formatting
- Loading branch information
Showing
4 changed files
with
96 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,6 @@ | ||
language: go | ||
|
||
go: | ||
- 1.5.x | ||
- 1.6.x | ||
- 1.7.x | ||
- 1.8.x | ||
- 1.9.x | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package secure | ||
|
||
import ( | ||
"context" | ||
"crypto/rand" | ||
"encoding/base64" | ||
"io" | ||
"net/http" | ||
) | ||
|
||
// CSPNonce returns the nonce value associated with the present request. If no nonce has been generated it returns an empty string. | ||
func CSPNonce(c context.Context) string { | ||
if val, ok := c.Value(cspNonceKey).(string); ok { | ||
return val | ||
} | ||
|
||
return "" | ||
} | ||
|
||
type key int | ||
|
||
const cspNonceKey key = iota | ||
|
||
func cspRandNonce() string { | ||
var buf [cspNonceSize]byte | ||
_, err := io.ReadFull(rand.Reader, buf[:]) | ||
if err != nil { | ||
panic("CSP Nonce rand.Reader failed" + err.Error()) | ||
} | ||
|
||
return base64.RawStdEncoding.EncodeToString(buf[:]) | ||
} | ||
|
||
func withCSPNonce(r *http.Request, nonce string) *http.Request { | ||
return r.WithContext(context.WithValue(r.Context(), cspNonceKey, nonce)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
package secure | ||
|
||
import ( | ||
"encoding/base64" | ||
"fmt" | ||
"net/http" | ||
"net/http/httptest" | ||
"strings" | ||
"testing" | ||
) | ||
|
||
func TestCSPNonce(t *testing.T) { | ||
s := New(Options{ | ||
ContentSecurityPolicy: "default-src 'self' $NONCE; script-src 'strict-dynamic' $NONCE", | ||
}) | ||
|
||
res := httptest.NewRecorder() | ||
req, _ := http.NewRequest("GET", "/foo", nil) | ||
|
||
s.Handler(myHandler).ServeHTTP(res, req) | ||
|
||
expect(t, res.Code, http.StatusOK) | ||
|
||
csp := res.Header().Get("Content-Security-Policy") | ||
expect(t, strings.Count(csp, "'nonce-"), 2) | ||
|
||
nonce := strings.Split(strings.Split(csp, "'")[3], "-")[1] | ||
|
||
_, err := base64.RawStdEncoding.DecodeString(nonce) | ||
expect(t, err, nil) | ||
|
||
expect(t, csp, fmt.Sprintf("default-src 'self' 'nonce-%[1]s'; script-src 'strict-dynamic' 'nonce-%[1]s'", nonce)) | ||
} | ||
|
||
func TestWithCSPNonce(t *testing.T) { | ||
req, _ := http.NewRequest("GET", "/foo", nil) | ||
|
||
nonce := "jdgKGHkbnd+/" | ||
|
||
expect(t, CSPNonce(withCSPNonce(req, nonce).Context()), nonce) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters