ring-clojure / ring-headers Goto Github PK

Hi,

The absolute redirects middleware claims that the "HTTP RFC" does not allow relative URIs in the Location header.

This was true for RFC 2616, but is no longer true in RFC 7231, which obsoletes RFC 2616

http://tools.ietf.org/html/rfc7231#section-7.1.2

http://tools.ietf.org/html/rfc2616#page-135

I think the prudent solution is:

1. Update the docstrings for this middleware
2. remove absolute-redirects from the default set of middlewares in ring-defaults

(1) seems like a no brainer, I'll attach a PR. (2) might be debatable.

Thoughts?

Using a header such as {"content-type" ["text/plain" "text/html"]} in the response will result in the following exception:

[clojure.core$re_matcher invokeStatic core.clj 4667]
  [clojure.core$re_find invokeStatic core.clj 4716]
  [clojure.core$re_find invoke core.clj 4716]
  [ring.middleware.default_charset$text_based_content_type_QMARK_ invokeStatic default_charset.clj 7]
  [ring.middleware.default_charset$text_based_content_type_QMARK_ invoke default_charset.clj 6]
  [ring.middleware.default_charset$add_charset invokeStatic default_charset.clj 15]
  [ring.middleware.default_charset$add_charset invoke default_charset.clj 13]
  [ring.middleware.default_charset$wrap_default_charset$fn__12380 invoke default_charset.clj 27]
  [ring.middleware.not_modified$wrap_not_modified$fn__12337 invoke not_modified.clj 52]
  [ring.middleware.x_headers$wrap_xss_protection$fn__11091 invoke x_headers.clj 71]
  [ring.middleware.x_headers$wrap_frame_options$fn__11079 invoke x_headers.clj 38]
  [ring.middleware.x_headers$wrap_content_type_options$fn__11085 invoke x_headers.clj 53]

Not sure if this is the expected behavior as the spec states that header values can be seqs.

Can you elaborate on the commit message for 2b3ea70?

Middleware function incorrectly used the first rather than last value present in the X-Forwarded-For header. This could result in attackers being able to spoof the :remote-addr key if this middleware was used. Reported by Daniel Compton [email protected].

Shouldn't a load balancer should either set the X-Forwarded-For header or not forward it at all?

Since that commit breaks compatibility with ELB could we make using the first or last IP configurable?

If using ring defaults with:

:absolute-redirects - Any redirects to relative URLs will be turned into redirects to absolute URLs, to better conform to the HTTP spec.

set to true,

Returning something like this:

  {:status 302
   :headers {"Location" (format "blah://blah?abc=%s" abc)}
   :body ""}

Will throw -> java.net.MalformedURLException: unknown protocol: blah

Copied from ring-clojure/ring#306 (comment)

As noted, the X-Frame-Options :allow-from is not fully supported by all browsers; most notably, Chrome does not support it. So is there a way to allow one's Clojure/Ring site to be served externally (different TLDomain website from one's own) using an iframe, in a way that's still secure against clickjacking while also working in Chrome please? Thanks in advance for any help!