noxssrw

package

v0.11.2 Latest Latest Go to latest Published: May 28, 2020 License: MPL-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/samsungnext/nomad

Links

Open Source Insights

Documentation ¶

Overview ¶

Package noxssrw (No XSS ResponseWriter) behaves like the Go standard library's ResponseWriter by detecting the Content-Type of a response if it has not been explicitly set. However, unlike the standard library's implementation, this implementation will never return the "text/html" Content-Type and instead return "text/plain".

Index ¶

Variables
func NewResponseWriter(orig http.ResponseWriter) (http.ResponseWriter, func() (int, error))
type NoXSSResponseWriter

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// DefaultUnsafeTypes are Content-Types that browsers will render as hypertext.
	// Any Content-Types that allow Javascript or remote resource fetching must be
	// converted to a Content-Type that prevents evaluation.
	//
	// Types are prefix matched to avoid comparing against specific
	// character sets (eg "text/html; charset=utf-8") which may be user
	// controlled.
	DefaultUnsafeTypes = map[string]string{
		"text/html":      "text/plain",
		"text/xhtml":     "text/plain",
		"text/xhtml+xml": "text/plain",
	}

	// DefaultHeaders contain CORS headers meant to prevent the execution
	// of Javascript in compliant browsers.
	DefaultHeaders = map[string]string{
		"Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'; sandbox",
		"X-Content-Type-Options":  "nosniff",
		"X-XSS-Protection":        "1; mode=block",
	}
)

Functions ¶

func NewResponseWriter ¶

func NewResponseWriter(orig http.ResponseWriter) (http.ResponseWriter, func() (int, error))

NewResponseWriter creates a new ResponseWriter and Close func which will prevent Go's http.ResponseWriter default behavior of detecting the Content-Type.

The Close func must be called to ensure that responses < 512 bytes are flushed as up to 512 bytes are buffered without flushing.

Types ¶

type NoXSSResponseWriter ¶

type NoXSSResponseWriter struct {
	// TypeMap maps types unsafe for untrusted content to their safe
	// version; may be replaced but not mutated.
	TypeMap map[string]string

	// DefaultHeaders to set on first write if they are not already
	// explicitly set.
	DefaultHeaders map[string]string
	// contains filtered or unexported fields
}

NoXSSResponseWriter implements http.ResponseWriter but prevents renderable Content-Types from being automatically detected. Create with NewResponseWriter.

func (*NoXSSResponseWriter) Close ¶

func (w *NoXSSResponseWriter) Close() (int, error)

Close and flush the writer. Necessary for responses that never reached 512 bytes.

func (w *NoXSSResponseWriter) Header() http.Header

Header returns the header map that will be sent by WriteHeader. The Header map also is the mechanism with which Handlers can set HTTP trailers.

Changing the header map after a call to WriteHeader (or Write) has no effect unless the modified headers are trailers.

There are two ways to set Trailers. The preferred way is to predeclare in the headers which trailers you will later send by setting the "Trailer" header to the names of the trailer keys which will come later. In this case, those keys of the Header map are treated as if they were trailers. See the example. The second way, for trailer keys not known to the Handler until after the first Write, is to prefix the Header map keys with the TrailerPrefix constant value. See TrailerPrefix.

To suppress automatic response headers (such as "Date"), set their value to nil.

func (*NoXSSResponseWriter) Write ¶

func (w *NoXSSResponseWriter) Write(p []byte) (int, error)

Write writes the data to the connection as part of an HTTP reply.

If WriteHeader has not yet been called, Write calls WriteHeader(http.StatusOK) before writing the data. If the Header does not contain a Content-Type line, Write adds a Content-Type set to the result of passing the initial 512 bytes of written data to DetectContentType. Additionally, if the total size of all written data is under a few KB and there are no Flush calls, the Content-Length header is added automatically.

Depending on the HTTP protocol version and the client, calling Write or WriteHeader may prevent future reads on the Request.Body. For HTTP/1.x requests, handlers should read any needed request body data before writing the response. Once the headers have been flushed (due to either an explicit Flusher.Flush call or writing enough data to trigger a flush), the request body may be unavailable. For HTTP/2 requests, the Go HTTP server permits handlers to continue to read the request body while concurrently writing the response. However, such behavior may not be supported by all HTTP/2 clients. Handlers should read before writing if possible to maximize compatibility.

func (*NoXSSResponseWriter) WriteHeader ¶

func (w *NoXSSResponseWriter) WriteHeader(statusCode int)

WriteHeader sends an HTTP response header with the provided status code.

If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). Thus explicit calls to WriteHeader are mainly used to send error codes.

The provided code must be a valid HTTP 1xx-5xx status code. Only one header may be written. Go does not currently support sending user-defined 1xx informational headers, with the exception of 100-continue response header that the Server sends automatically when the Request.Body is read.

Source Files ¶

View all Source files

noxssrw.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL