From 70268a24a84d4109f6b1f5db30efc1a51702d63b Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Thu, 18 Jan 2024 00:07:31 +0100 Subject: [PATCH] fix: cors handling in propfind --- go.mod | 2 +- go.sum | 4 +-- .../http/services/owncloud/ocdav/ocdav.go | 26 ------------------- .../owncloud/ocdav/propfind/propfind.go | 10 ++++--- 4 files changed, 10 insertions(+), 32 deletions(-) diff --git a/go.mod b/go.mod index a211916973..7c323e3baa 100644 --- a/go.mod +++ b/go.mod @@ -67,7 +67,7 @@ require ( github.com/prometheus/alertmanager v0.24.0 github.com/prometheus/client_golang v1.16.0 github.com/rogpeppe/go-internal v1.10.0 - github.com/rs/cors v1.9.0 + github.com/rs/cors v1.10.1 github.com/rs/zerolog v1.29.1 github.com/sethvargo/go-password v0.2.0 github.com/shamaton/msgpack/v2 v2.1.1 diff --git a/go.sum b/go.sum index 70887fd37f..12f4c36c51 100644 --- a/go.sum +++ b/go.sum @@ -1158,8 +1158,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= -github.com/rs/cors v1.9.0 h1:l9HGsTsHJcvW14Nk7J9KFz8bzeAWXn3CG6bgt7LsrAE= -github.com/rs/cors v1.9.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo= +github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY= github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.29.1 h1:cO+d60CHkknCbvzEWxP0S9K6KqyTjrCNUy1LdQLCGPc= diff --git a/internal/http/services/owncloud/ocdav/ocdav.go b/internal/http/services/owncloud/ocdav/ocdav.go index 0eabd525e1..c06bd748e4 100644 --- a/internal/http/services/owncloud/ocdav/ocdav.go +++ b/internal/http/services/owncloud/ocdav/ocdav.go @@ -165,8 +165,6 @@ func (s *svc) Handler() http.Handler { ctx := r.Context() log := appctx.GetLogger(ctx) - addAccessHeaders(w, r) - // TODO(jfd): do we need this? // fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89 if r.Header.Get(net.HeaderLitmus) == "props: 3 (propfind_invalid2)" { @@ -284,30 +282,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool return templates.WithUser(u, ns), requestPath, nil } -func addAccessHeaders(w http.ResponseWriter, r *http.Request) { - headers := w.Header() - // the webdav api is accessible from anywhere - headers.Set("Access-Control-Allow-Origin", "*") - // all resources served via the DAV endpoint should have the strictest possible as default - headers.Set("Content-Security-Policy", "default-src 'none';") - // disable sniffing the content type for IE - headers.Set("X-Content-Type-Options", "nosniff") - // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx - headers.Set("X-Download-Options", "noopen") - // Disallow iFraming from other domains - headers.Set("X-Frame-Options", "SAMEORIGIN") - // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - headers.Set("X-Permitted-Cross-Domain-Policies", "none") - // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag - headers.Set("X-Robots-Tag", "none") - // enforce browser based XSS filters - headers.Set("X-XSS-Protection", "1; mode=block") - - if r.TLS != nil { - headers.Set("Strict-Transport-Security", "max-age=63072000") - } -} - func authContextForUser(client gateway.GatewayAPIClient, userID *userpb.UserId, machineAuthAPIKey string) (context.Context, error) { if machineAuthAPIKey == "" { return nil, errtypes.NotSupported("machine auth not configured") diff --git a/internal/http/services/owncloud/ocdav/propfind/propfind.go b/internal/http/services/owncloud/ocdav/propfind/propfind.go index f9271fbbe9..fc5764738e 100644 --- a/internal/http/services/owncloud/ocdav/propfind/propfind.go +++ b/internal/http/services/owncloud/ocdav/propfind/propfind.go @@ -486,12 +486,16 @@ func (p *Handler) propfindResponse(ctx context.Context, w http.ResponseWriter, r w.Header().Set(net.HeaderDav, "1, 3, extended-mkcol") w.Header().Set(net.HeaderContentType, "application/xml; charset=utf-8") if sendTusHeaders { - w.Header().Add(net.HeaderAccessControlExposeHeaders, strings.Join([]string{net.HeaderTusResumable, net.HeaderTusVersion, net.HeaderTusExtension}, ", ")) + w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusResumable) + w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusVersion) + w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusExtension) + w.Header().Set(net.HeaderAccessControlExposeHeaders, strings.Join(w.Header().Values(net.HeaderAccessControlExposeHeaders), ", ")) w.Header().Set(net.HeaderTusResumable, "1.0.0") w.Header().Set(net.HeaderTusVersion, "1.0.0") - w.Header().Set(net.HeaderTusExtension, "creation,creation-with-upload,checksum,expiration") + w.Header().Set(net.HeaderTusExtension, "creation, creation-with-upload, checksum, expiration") } - w.Header().Set(net.HeaderVary, net.HeaderPrefer) + w.Header().Add(net.HeaderVary, net.HeaderPrefer) + w.Header().Set(net.HeaderVary, strings.Join(w.Header().Values(net.HeaderVary), ", ")) if returnMinimal { w.Header().Set(net.HeaderPreferenceApplied, "return=minimal") }