Make the default HTTP server configuration more secure

sdk/lib/io/http.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * HTTP status codes.
  */
 abstract class HttpStatus {
@@ skipping 146 matching lines @@
    * generated by this [HttpServer].
    *
    * If [serverHeader] is `null`, no `Server` header will be added to each
    * response.
    *
    * The default value is `null`.
    */
   String serverHeader;
 
   /**
+   * Default set of headers added to all response objects.
+   *
+   * By default the following headers are in this set:
+   *
+   *    Content-Type: text/plain; charset=utf-8
+   *    X-Frame-Options: SAMEORIGIN
+   *    X-Content-Type-Options: nosniff
+   *    X-XSS-Protection: 1; mode=block
+   *
+   * If the `Server` header is added here and the `serverHeader` is set as
+   * well then the value of `serverHeader` takes precedence.
+   */
+  HttpHeaders get defaultResponseHeaders;
+
+  /**
    * Get or set the timeout used for idle keep-alive connections. If no further
    * request is seen within [idleTimeout] after the previous request was
    * completed, the connection is dropped.
    *
    * Default is 120 seconds.
    *
    * Note that it may take up to `2 * idleTimeout` before a idle connection is
    * aborted.
    *
    * To disable, set [idleTimeout] to `null`.
@@ skipping 396 matching lines @@
    */
   void forEach(void f(String name, List<String> values));
 
   /**
    * Disables folding for the header named [name] when sending the HTTP
    * header. By default, multiple header values are folded into a
    * single header line by separating the values with commas. The
    * 'set-cookie' header has folding disabled by default.
    */
   void noFolding(String name);
+
+  /**
+   * Remove all headers. Some headers have system supplied values and
+   * for these the system supplied values will still be added to the
+   * collection of values for the header.
+   */
+  void clear();
 }
 
 
 /**
  * Representation of a header value in the form:
  *
  *   [:value; parameter1=value1; parameter2=value2:]
  *
  * [HeaderValue] can be used to conveniently build and parse header
  * values on this form.
@@ skipping 213 matching lines @@
    */
   bool secure;
 
   /**
    * Gets and sets whether this cookie is HTTP only.
    */
   bool httpOnly;
 
   /**
    * Creates a new cookie optionally setting the name and value.
+   *
+   * By default the value of `httpOnly` will be set to `true`.
    */
   factory Cookie([String name, String value]) => new _Cookie(name, value);
 
   /**
    * Creates a new cookie by parsing a header value from a 'set-cookie'
    * header.
    */
   factory Cookie.fromSetCookieValue(String value) {
     return new _Cookie.fromSetCookieValue(value);
   }
@@ skipping 1127 matching lines @@
 class RedirectException implements HttpException {
   final String message;
   final List<RedirectInfo> redirects;
 
   const RedirectException(this.message, this.redirects);
 
   String toString() => "RedirectException: $message";
 
   Uri get uri => redirects.last.location;
 }