Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2379)

Unified Diff: sdk/lib/io/http_impl.dart

Issue 443373003: Make the default HTTP server configuration more secure (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart
Patch Set: Additional edit Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: sdk/lib/io/http_impl.dart
diff --git a/sdk/lib/io/http_impl.dart b/sdk/lib/io/http_impl.dart
index 971186d9f3ee1edb3d1f2186caba2a124aeb0557..3e95adaccc0cd35d6aa7ebc90b0233b2f51baf28 100644
--- a/sdk/lib/io/http_impl.dart
+++ b/sdk/lib/io/http_impl.dart
@@ -429,14 +429,16 @@ abstract class _HttpOutboundMessage<T> extends _IOSinkImpl {
_HttpOutboundMessage(Uri uri,
String protocolVersion,
- _HttpOutgoing outgoing)
+ _HttpOutgoing outgoing,
+ {_HttpHeaders initialHeaders})
: super(outgoing, null),
_uri = uri,
headers = new _HttpHeaders(
protocolVersion,
defaultPortForScheme: uri.scheme == 'https' ?
HttpClient.DEFAULT_HTTPS_PORT :
- HttpClient.DEFAULT_HTTP_PORT),
+ HttpClient.DEFAULT_HTTP_PORT,
+ initialHeaders: initialHeaders),
_outgoing = outgoing {
_outgoing.outbound = this;
_encodingMutable = false;
@@ -503,9 +505,10 @@ class _HttpResponse extends _HttpOutboundMessage<HttpResponse>
_HttpResponse(Uri uri,
String protocolVersion,
_HttpOutgoing outgoing,
+ HttpHeaders defaultHeaders,
String serverHeader)
- : super(uri, protocolVersion, outgoing) {
- if (serverHeader != null) headers._add('server', serverHeader);
+ : super(uri, protocolVersion, outgoing, initialHeaders: defaultHeaders) {
+ if (serverHeader != null) headers.set('server', serverHeader);
}
bool get _isConnectionClosed => _httpRequest._httpConnection._isClosing;
@@ -2037,6 +2040,7 @@ class _HttpConnection
var response = new _HttpResponse(incoming.uri,
incoming.headers.protocolVersion,
outgoing,
+ _httpServer.defaultResponseHeaders,
_httpServer.serverHeader);
var request = new _HttpRequest(response, incoming, _httpServer, this);
_streamFuture = outgoing.done
@@ -2155,6 +2159,7 @@ class _HttpServer
static Map<int, _HttpServer> _servers = new Map<int, _HttpServer>();
String serverHeader;
+ HttpHeaders defaultResponseHeaders;
Anders Johnsen 2014/08/12 05:49:13 Change to: final HttpHeaders defaultResponseHea
Søren Gjesse 2014/08/12 06:53:49 Done.
Duration _idleTimeout;
Timer _idleTimer;
@@ -2182,6 +2187,7 @@ class _HttpServer
}
_HttpServer._(this._serverSocket, this._closeServer) {
+ _initDefaultResponseHeaders();
_controller = new StreamController<HttpRequest>(sync: true,
onCancel: close);
idleTimeout = const Duration(seconds: 120);
@@ -2190,6 +2196,7 @@ class _HttpServer
}
_HttpServer.listenOn(this._serverSocket) : _closeServer = false {
+ _initDefaultResponseHeaders();
_controller = new StreamController<HttpRequest>(sync: true,
onCancel: close);
idleTimeout = const Duration(seconds: 120);
@@ -2197,6 +2204,14 @@ class _HttpServer
try { _serverSocket._owner = this; } catch (_) {}
}
+ _initDefaultResponseHeaders() {
Anders Johnsen 2014/08/12 05:49:13 Make this a static function and call it directly i
Søren Gjesse 2014/08/12 06:53:49 Done.
+ defaultResponseHeaders = new _HttpHeaders('1.1');
+ defaultResponseHeaders.contentType = ContentType.TEXT;
+ defaultResponseHeaders.set('X-Frame-Options', 'SAMEORIGIN');
+ defaultResponseHeaders.set('X-Content-Type-Options', 'nosniff');
+ defaultResponseHeaders.set('X-XSS-Protection', '1; mode=block');
+ }
+
Duration get idleTimeout => _idleTimeout;
void set idleTimeout(Duration duration) {

Powered by Google App Engine
This is Rietveld 408576698