sdk/lib/io/http_impl.dart - Issue 443373003: Make the default HTTP server configuration more secure

Unified Diff: sdk/lib/io/http_impl.dart

Issue 443373003: Make the default HTTP server configuration more secure (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart

Patch Set: Additional edit Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sdk/lib/io/http_impl.dart

diff --git a/sdk/lib/io/http_impl.dart b/sdk/lib/io/http_impl.dart

index 971186d9f3ee1edb3d1f2186caba2a124aeb0557..3e95adaccc0cd35d6aa7ebc90b0233b2f51baf28 100644

--- a/sdk/lib/io/http_impl.dart

+++ b/sdk/lib/io/http_impl.dart

@@ -429,14 +429,16 @@ abstract class _HttpOutboundMessage<T> extends _IOSinkImpl {

_HttpOutboundMessage(Uri uri,

String protocolVersion,

- _HttpOutgoing outgoing)

+ _HttpOutgoing outgoing,

+ {_HttpHeaders initialHeaders})

: super(outgoing, null),

_uri = uri,

headers = new _HttpHeaders(

protocolVersion,

defaultPortForScheme: uri.scheme == 'https' ?

HttpClient.DEFAULT_HTTPS_PORT :

- HttpClient.DEFAULT_HTTP_PORT),

+ HttpClient.DEFAULT_HTTP_PORT,

+ initialHeaders: initialHeaders),

_outgoing = outgoing {

_outgoing.outbound = this;

_encodingMutable = false;

@@ -503,9 +505,10 @@ class _HttpResponse extends _HttpOutboundMessage<HttpResponse>

_HttpResponse(Uri uri,

String protocolVersion,

_HttpOutgoing outgoing,

+ HttpHeaders defaultHeaders,

String serverHeader)

- : super(uri, protocolVersion, outgoing) {

- if (serverHeader != null) headers._add('server', serverHeader);

+ : super(uri, protocolVersion, outgoing, initialHeaders: defaultHeaders) {

+ if (serverHeader != null) headers.set('server', serverHeader);

}

bool get _isConnectionClosed => _httpRequest._httpConnection._isClosing;

@@ -2037,6 +2040,7 @@ class _HttpConnection

var response = new _HttpResponse(incoming.uri,

incoming.headers.protocolVersion,

outgoing,

+ _httpServer.defaultResponseHeaders,

_httpServer.serverHeader);

var request = new _HttpRequest(response, incoming, _httpServer, this);

_streamFuture = outgoing.done

@@ -2155,6 +2159,7 @@ class _HttpServer

static Map<int, _HttpServer> _servers = new Map<int, _HttpServer>();

String serverHeader;

+ HttpHeaders defaultResponseHeaders;

Anders Johnsen 2014/08/12 05:49:13 Change to: final HttpHeaders defaultResponseHea

Søren Gjesse 2014/08/12 06:53:49 Done.

Duration _idleTimeout;

Timer _idleTimer;

@@ -2182,6 +2187,7 @@ class _HttpServer

}

_HttpServer._(this._serverSocket, this._closeServer) {

+ _initDefaultResponseHeaders();

_controller = new StreamController<HttpRequest>(sync: true,

onCancel: close);

idleTimeout = const Duration(seconds: 120);

@@ -2190,6 +2196,7 @@ class _HttpServer

}

_HttpServer.listenOn(this._serverSocket) : _closeServer = false {

+ _initDefaultResponseHeaders();

_controller = new StreamController<HttpRequest>(sync: true,

onCancel: close);

idleTimeout = const Duration(seconds: 120);

@@ -2197,6 +2204,14 @@ class _HttpServer

try { _serverSocket._owner = this; } catch (_) {}

}

+ _initDefaultResponseHeaders() {

Anders Johnsen 2014/08/12 05:49:13 Make this a static function and call it directly i

Søren Gjesse 2014/08/12 06:53:49 Done.

+ defaultResponseHeaders = new _HttpHeaders('1.1');

+ defaultResponseHeaders.contentType = ContentType.TEXT;

+ defaultResponseHeaders.set('X-Frame-Options', 'SAMEORIGIN');

+ defaultResponseHeaders.set('X-Content-Type-Options', 'nosniff');

+ defaultResponseHeaders.set('X-XSS-Protection', '1; mode=block');

+ }

Duration get idleTimeout => _idleTimeout;

void set idleTimeout(Duration duration) {

« sdk/lib/io/http_headers.dart ('K') | « sdk/lib/io/http_headers.dart ('k') | tests/standalone/io/http_cookie_test.dart » ('j') | no next file with comments »