Make the default HTTP server configuration more secure

sdk/lib/io/http_impl.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 const int _OUTGOING_BUFFER_SIZE = 8 * 1024;
 
 class _HttpIncoming extends Stream<List<int>> {
   final int _transferLength;
@@ skipping 485 matching lines @@
   int _statusCode = 200;
   String _reasonPhrase;
   List<Cookie> _cookies;
   _HttpRequest _httpRequest;
   Duration _deadline;
   Timer _deadlineTimer;
 
   _HttpResponse(Uri uri,
                 String protocolVersion,
                 _HttpOutgoing outgoing,
+                HttpHeaders defaultHeaders,
                 String serverHeader)
       : super(uri, protocolVersion, outgoing) {
-    if (serverHeader != null) headers._add('server', serverHeader);
+    defaultHeaders.forEach((name, value) => headers.add(name, value));

[Anders Johnsen, 2014/08/08 06:15:45]

I'm curious to the overhead of this. Maybe we should have a headers._clone, that
will just copy the private fields (headers.add involves is-checks, to-lower-case
etc).

[Søren Gjesse, 2014/08/11 14:10:09]

Don't know. Pass the default header values to the HttpHeaders constructor for
faster cloning instead.

+    if (serverHeader != null) headers.set('server', serverHeader);
   }
 
   bool get _isConnectionClosed => _httpRequest._httpConnection._isClosing;
 
   List<Cookie> get cookies {
     if (_cookies == null) _cookies = new List<Cookie>();
     return _cookies;
   }
 
   int get statusCode => _statusCode;
@@ skipping 1511 matching lines @@
             if (closing) destroy();
           });
           // Only handle one incoming request at the time. Keep the
           // stream paused until the request has been send.
           _subscription.pause();
           _state = _ACTIVE;
           var outgoing = new _HttpOutgoing(_socket);
           var response = new _HttpResponse(incoming.uri,
                                            incoming.headers.protocolVersion,
                                            outgoing,
+                                           _httpServer.defaultResponseHeaders,
                                            _httpServer.serverHeader);
           var request = new _HttpRequest(response, incoming, _httpServer, this);
           _streamFuture = outgoing.done
               .then((_) {
                 response.deadline = null;
                 if (_state == _DETACHED) return;
                 if (response.persistentConnection &&
                     request.persistentConnection &&
                     incoming.fullBodyRead &&
                     !_httpParser.upgrade &&
@@ skipping 98 matching lines @@
 
 
 // HTTP server waiting for socket connections.
 class _HttpServer
     extends Stream<HttpRequest> with _ServiceObject
     implements HttpServer {
   // Use default Map so we keep order.
   static Map<int, _HttpServer> _servers = new Map<int, _HttpServer>();
 
   String serverHeader;
+  HttpHeaders defaultResponseHeaders;
 
   Duration _idleTimeout;
   Timer _idleTimer;
 
   static Future<HttpServer> bind(address, int port, int backlog) {
     return ServerSocket.bind(address, port, backlog: backlog).then((socket) {
       return new _HttpServer._(socket, true);
     });
   }
 
   static Future<HttpServer> bindSecure(address,
                                        int port,
                                        int backlog,
                                        String certificate_name,
                                        bool requestClientCertificate) {
     return SecureServerSocket.bind(
         address,
         port,
         certificate_name,
         backlog: backlog,
         requestClientCertificate: requestClientCertificate)
         .then((socket) {
           return new _HttpServer._(socket, true);
         });
   }
 
   _HttpServer._(this._serverSocket, this._closeServer) {
+    _initDefaultResponseHeaders();
     _controller = new StreamController<HttpRequest>(sync: true,
                                                     onCancel: close);
     idleTimeout = const Duration(seconds: 120);
     _servers[_serviceId] = this;
     _serverSocket._owner = this;
   }
 
   _HttpServer.listenOn(this._serverSocket) : _closeServer = false {
+    _initDefaultResponseHeaders();
     _controller = new StreamController<HttpRequest>(sync: true,
                                                     onCancel: close);
     idleTimeout = const Duration(seconds: 120);
     _servers[_serviceId] = this;
     try { _serverSocket._owner = this; } catch (_) {}
   }
 
+  _initDefaultResponseHeaders() {
+    defaultResponseHeaders = new _HttpHeaders('1.1');
+    defaultResponseHeaders.contentType = ContentType.TEXT;
+    defaultResponseHeaders.set('X-Frame-Options', 'SAMEORIGIN');
+    defaultResponseHeaders.set('X-Content-Type-Options', 'nosniff');
+    defaultResponseHeaders.set('X-XSS-Protection', '1; mode=block');
+  }
+
   Duration get idleTimeout => _idleTimeout;
 
   void set idleTimeout(Duration duration) {
     if (_idleTimer != null) {
       _idleTimer.cancel();
       _idleTimer = null;
     }
     _idleTimeout = duration;
     if (_idleTimeout != null) {
       _idleTimer = new Timer.periodic(_idleTimeout, (_) {
@@ skipping 593 matching lines @@
   const _RedirectInfo(this.statusCode, this.method, this.location);
 }
 
 String _getHttpVersion() {
   var version = Platform.version;
   // Only include major and minor version numbers.
   int index = version.indexOf('.', version.indexOf('.') + 1);
   version = version.substring(0, index);
   return 'Dart/$version (dart:io)';
 }