From a48cf931aee3c0b747a85d34cc7d344e2db1d425 Mon Sep 17 00:00:00 2001 From: Naren Venkataraman Date: Sat, 14 Nov 2015 12:17:52 -0500 Subject: [PATCH 1/4] Use reason variable --- handler.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/handler.go b/handler.go index 1e465a6..b231289 100644 --- a/handler.go +++ b/handler.go @@ -42,7 +42,7 @@ var ErrStatusCodes = map[error]int{ ErrInvalidOffset: http.StatusBadRequest, ErrNotFound: http.StatusNotFound, ErrFileLocked: 423, // Locked (WebDAV) (RFC 4918) - ErrMismatchOffset: http.StatusConflict, + ErrMismatchOffset: http.StatusConflict, ErrSizeExceeded: http.StatusRequestEntityTooLarge, ErrNotImplemented: http.StatusNotImplemented, ErrUploadNotFinished: http.StatusBadRequest, @@ -453,15 +453,17 @@ func (handler *Handler) sendError(w http.ResponseWriter, r *http.Request, err er status = 500 } - reason := err.Error() + reason := err.Error() + "\n" if r.Method == "HEAD" { reason = "" } - w.Header().Set("Content-Type", "text/plain") + //https://golang.org/src/net/http/server.go#L1429 + w.Header().Set("Content-Type", "text/plain; charset=utf-8") + w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Content-Length", strconv.Itoa(len(reason))) w.WriteHeader(status) - w.Write([]byte(err.Error())) + w.Write([]byte(reason)) } // Make an absolute URLs to the given upload id. If the base path is absolute From 04ff76f0ac153a4be823dc7f5f3bd45839e4cb2b Mon Sep 17 00:00:00 2001 From: Naren Venkataraman Date: Sat, 14 Nov 2015 12:25:26 -0500 Subject: [PATCH 2/4] Add GET,DELETE and remove redundant OPTIONS from Access-Control-Allow-Headers --- handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handler.go b/handler.go index b231289..9512d2e 100644 --- a/handler.go +++ b/handler.go @@ -145,7 +145,7 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "OPTIONS" { // Preflight request - header.Set("Access-Control-Allow-Methods", "POST, HEAD, PATCH, OPTIONS") + header.Set("Access-Control-Allow-Methods", "POST, GET, HEAD, PATCH, DELETE") header.Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Upload-Length, Upload-Offset, Tus-Resumable, Upload-Metadata") header.Set("Access-Control-Max-Age", "86400") From 294b815afb4c7d3ee1968deb1c88ae054229f013 Mon Sep 17 00:00:00 2001 From: Naren Venkataraman Date: Sun, 15 Nov 2015 17:15:24 -0500 Subject: [PATCH 3/4] Add OPTIONS back --- handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handler.go b/handler.go index 9512d2e..ae73737 100644 --- a/handler.go +++ b/handler.go @@ -145,7 +145,7 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method == "OPTIONS" { // Preflight request - header.Set("Access-Control-Allow-Methods", "POST, GET, HEAD, PATCH, DELETE") + header.Set("Access-Control-Allow-Methods", "POST, GET, HEAD, PATCH, DELETE, OPTIONS") header.Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Upload-Length, Upload-Offset, Tus-Resumable, Upload-Metadata") header.Set("Access-Control-Max-Age", "86400") From d87b72e34dc4691eb29bc4921d8db99bc897aec2 Mon Sep 17 00:00:00 2001 From: Naren Venkataraman Date: Sun, 15 Nov 2015 17:21:57 -0500 Subject: [PATCH 4/4] Add nosniff header by default --- handler.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/handler.go b/handler.go index ae73737..21e6f2f 100644 --- a/handler.go +++ b/handler.go @@ -158,6 +158,9 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Set current version used by the server header.Set("Tus-Resumable", "1.0.0") + // Add nosniff to all responses https://golang.org/src/net/http/server.go#L1429 + header.Set("X-Content-Type-Options", "nosniff") + // Set appropriated headers in case of OPTIONS method allowing protocol // discovery and end with an 204 No Content if r.Method == "OPTIONS" { @@ -458,9 +461,7 @@ func (handler *Handler) sendError(w http.ResponseWriter, r *http.Request, err er reason = "" } - //https://golang.org/src/net/http/server.go#L1429 w.Header().Set("Content-Type", "text/plain; charset=utf-8") - w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Content-Length", strconv.Itoa(len(reason))) w.WriteHeader(status) w.Write([]byte(reason))