ring-clojure / ring-headers Goto Github PK
View Code? Open in Web Editor NEWRing middleware for common response headers
Ring middleware for common response headers
Hi,
The absolute redirects middleware claims that the "HTTP RFC" does not allow relative URIs in the Location header.
This was true for RFC 2616, but is no longer true in RFC 7231, which obsoletes RFC 2616
http://tools.ietf.org/html/rfc7231#section-7.1.2
http://tools.ietf.org/html/rfc2616#page-135
I think the prudent solution is:
(1) seems like a no brainer, I'll attach a PR. (2) might be debatable.
Thoughts?
Using a header such as {"content-type" ["text/plain" "text/html"]}
in the response will result in the following exception:
[clojure.core$re_matcher invokeStatic core.clj 4667]
[clojure.core$re_find invokeStatic core.clj 4716]
[clojure.core$re_find invoke core.clj 4716]
[ring.middleware.default_charset$text_based_content_type_QMARK_ invokeStatic default_charset.clj 7]
[ring.middleware.default_charset$text_based_content_type_QMARK_ invoke default_charset.clj 6]
[ring.middleware.default_charset$add_charset invokeStatic default_charset.clj 15]
[ring.middleware.default_charset$add_charset invoke default_charset.clj 13]
[ring.middleware.default_charset$wrap_default_charset$fn__12380 invoke default_charset.clj 27]
[ring.middleware.not_modified$wrap_not_modified$fn__12337 invoke not_modified.clj 52]
[ring.middleware.x_headers$wrap_xss_protection$fn__11091 invoke x_headers.clj 71]
[ring.middleware.x_headers$wrap_frame_options$fn__11079 invoke x_headers.clj 38]
[ring.middleware.x_headers$wrap_content_type_options$fn__11085 invoke x_headers.clj 53]
Not sure if this is the expected behavior as the spec states that header values can be seqs.
Can you elaborate on the commit message for 2b3ea70?
Middleware function incorrectly used the first rather than last value present in the X-Forwarded-For header. This could result in attackers being able to spoof the :remote-addr key if this middleware was used. Reported by Daniel Compton [email protected].
Shouldn't a load balancer should either set the X-Forwarded-For header or not forward it at all?
Since that commit breaks compatibility with ELB could we make using the first or last IP configurable?
If using ring defaults with:
:absolute-redirects - Any redirects to relative URLs will be turned into redirects to absolute URLs, to better conform to the HTTP spec.
set to true,
Returning something like this:
{:status 302
:headers {"Location" (format "blah://blah?abc=%s" abc)}
:body ""}
Will throw -> java.net.MalformedURLException: unknown protocol: blah
Copied from ring-clojure/ring#306 (comment)
As noted, the X-Frame-Options :allow-from
is not fully supported by all browsers; most notably, Chrome does not support it. So is there a way to allow one's Clojure/Ring site to be served externally (different TLDomain website from one's own) using an iframe, in a way that's still secure against clickjacking while also working in Chrome please? Thanks in advance for any help!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.