header

package
v0.0.0-...-2e72ad6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 23, 2024 License: MIT Imports: 7 Imported by: 2

Documentation

Overview

Package header provides functions for parsing and setting HTTP headers.

Index

Examples

Constants

View Source 
const (
	TypeInline     = "inline"
	TypeAttachment = "attachment"
)

Constants for DispositionArgs.

View Source 
const (
	// Fetch directives
	CSPChildSrc    = "child-src"    // Web workers and nested contexts such as frames
	CSPConnectSrc  = "connect-src"  // Script interfaces: Ajax, WebSocket, Fetch API, etc
	CSPDefaultSrc  = "default-src"  // Fallback for the other directives
	CSPFontSrc     = "font-src"     // Custom fonts
	CSPFrameSrc    = "frame-src"    // <frame> and <iframe>
	CSPImgSrc      = "img-src"      // Images (HTML and CSS), favicon
	CSPManifestSrc = "manifest-src" // Web app manifest
	CSPMediaSrc    = "media-src"    // <audio> and <video>
	CSPObjectSrc   = "object-src"   // <object>, <embed>, and <applet>
	CSPScriptSrc   = "script-src"   // JavaScript
	CSPStyleSrc    = "style-src"    // CSS

	// Document directives govern the properties of a document
	CSPBaseURI     = "base-uri"     // Restrict what can be used in <base>
	CSPPluginTypes = "plugin-types" // Whitelist MIME types for <object>, <embed>, <applet>
	CSPSandbox     = "sandbox"      // Enable sandbox for the page

	// Navigation directives govern whereto a user can navigate
	CSPFormAction     = "form-action"     // Restrict targets for form submissions
	CSPFrameAncestors = "frame-ancestors" // Valid parents for embedding with frames, <object>, etc.

	// Reporting directives control the reporting process of CSP violations; see
	// also the Content-Security-Policy-Report-Only header
	CSPReportURI = "report-uri"

	// Other directives
	CSPBlockAllMixedContent = "block-all-mixed-content" // Don't load any HTTP content when using https
)

CSP Directives.

View Source 
const (
	CSPSourceSelf         = "'self'"          // Exact origin of the document
	CSPSourceNone         = "'none'"          // Nothing matches
	CSPSourceUnsafeInline = "'unsafe-inline'" // Inline <script>/<style>, onevent="", etc.
	CSPSourceUnsafeEval   = "'unsafe-eval'"   // eval()
	CSPSourceStar         = "*"               // Everything

	CSPSourceHTTP        = "http:"
	CSPSourceHTTPS       = "https:"
	CSPSourceData        = "data:"
	CSPSourceMediastream = "mediastream:"
	CSPSourceBlob        = "blob:"
	CSPSourceFilesystem  = "filesystem:"
)

Content-Security-Policy values

Variables

This section is empty.

Functions

func Copy 

func Copy(header http.Header) http.Header

Copy returns a shallow copy of the header.

func ParseList 

func ParseList(header http.Header, key string) []string

ParseList parses a comma separated list of values. Commas are ignored in quoted strings. Quoted values are not unescaped or unquoted. Whitespace is trimmed.

func ParseTime 

func ParseTime(header http.Header, key string) time.Time

ParseTime parses the header as time. The zero value is returned if the header is not present or there is an error parsing the header.

func ParseValueAndParams 

func ParseValueAndParams(header http.Header, key string) (value string, params map[string]string)

ParseValueAndParams parses a comma separated list of values with optional semicolon separated name-value pairs. Content-Type and Content-Disposition headers are in this format.

func SetCSP 

func SetCSP(header http.Header, args CSPArgs)

SetCSP sets a Content-Security-Policy header.

Most directives require a value. The exceptions are CSPSandbox and CSPBlockAllMixedContent.

Only special values (CSPSource* constants) need to be quoted. Don't add quotes around hosts.

Valid sources: 

CSPSource*
Hosts               example.com, *.example.com, https://example.com
Schema              data:, blob:, etc.
nonce-<val>         inline scripts using a cryptographic nonce
<hash_algo>-<val>   hash of specific script.

Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Example 
package main

import (
	"net/http"

	"zgo.at/zhttp/header"
)

func main() {
	static := "static.example.com"
	headers := make(http.Header)
	header.SetCSP(headers, header.CSPArgs{
		header.CSPDefaultSrc: {header.CSPSourceNone},
		header.CSPScriptSrc:  {static},
		header.CSPStyleSrc:   {static, header.CSPSourceUnsafeInline},
		header.CSPFormAction: {header.CSPSourceSelf},
		header.CSPReportURI:  {"/csp"},
	})

}

Output:

func SetContentDisposition 

func SetContentDisposition(header http.Header, args DispositionArgs) error

SetContentDisposition sets the Content-Disposition header. Any previous value will be overwritten.

https://tools.ietf.org/html/rfc2183 https://tools.ietf.org/html/rfc6266 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition

Example 
package main

import (
	"net/http"

	"zgo.at/zhttp/header"
)

func main() {
	headers := make(http.Header)
	header.SetContentDisposition(headers, header.DispositionArgs{
		Type:     "image/png",
		Filename: "foo.png",
	})

}

Output:

Types

type AcceptSpec 

type AcceptSpec struct {
	Value string
	Q     float64
}

AcceptSpec describes an Accept* header.

func ParseAccept 

func ParseAccept(header http.Header, key string) (specs []AcceptSpec)

ParseAccept parses Accept* headers.

type CSPArgs 

type CSPArgs map[string][]string

CSPArgs are arguments for SetCSP().

type DispositionArgs 

type DispositionArgs struct {
	Type     string // disposition-type
	Filename string // filename-parm

}

DispositionArgs are arguments for SetContentDisposition().

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.