Documentation ¶
Overview ¶
Package header provides functions for parsing and setting HTTP headers.
Index ¶
- Constants
- func Copy(header http.Header) http.Header
- func ParseList(header http.Header, key string) []string
- func ParseTime(header http.Header, key string) time.Time
- func ParseValueAndParams(header http.Header, key string) (value string, params map[string]string)
- func SetCSP(header http.Header, args CSPArgs) error
- func SetContentDisposition(header http.Header, args DispositionArgs) error
- type AcceptSpec
- type CSPArgs
- type DispositionArgs
Examples ¶
Constants ¶
const ( TypeInline = "inline" TypeAttachment = "attachment" )
Constants for DispositionArgs.
const ( // Fetch directives CSPChildSrc = "child-src" // Web workers and nested contexts such as frames CSPConnectSrc = "connect-src" // Script interfaces: Ajax, WebSocket, Fetch API, etc CSPDefaultSrc = "default-src" // Fallback for the other directives CSPFontSrc = "font-src" // Custom fonts CSPFrameSrc = "frame-src" // <frame> and <iframe> CSPImgSrc = "img-src" // Images (HTML and CSS), favicon CSPManifestSrc = "manifest-src" // Web app manifest CSPMediaSrc = "media-src" // <audio> and <video> CSPObjectSrc = "object-src" // <object>, <embed>, and <applet> CSPScriptSrc = "script-src" // JavaScript CSPStyleSrc = "style-src" // CSS // Document directives govern the properties of a document CSPBaseURI = "base-uri" // Restrict what can be used in <base> CSPPluginTypes = "plugin-types" // Whitelist MIME types for <object>, <embed>, <applet> CSPSandbox = "sandbox" // Enable sandbox for the page // Navigation directives govern whereto a user can navigate CSPFormAction = "form-action" // Restrict targets for form submissions CSPFrameAncestors = "frame-ancestors" // Valid parents for embedding with frames, <object>, etc. // Reporting directives control the reporting process of CSP violations; see // also the Content-Security-Policy-Report-Only header CSPReportURI = "report-uri" // Other directives CSPBlockAllMixedContent = "block-all-mixed-content" // Don't load any HTTP content when using https )
CSP Directives.
const ( CSPSourceSelf = "'self'" // Exact origin of the document CSPSourceNone = "'none'" // Nothing matches CSPSourceUnsafeInline = "'unsafe-inline'" // Inline <script>/<style>, onevent="", etc. CSPSourceUnsaleEval = "'unsafe-eval'" // eval() CSPSourceStar = "*" // Everything )
Content-Security-Policy values
Variables ¶
This section is empty.
Functions ¶
func ParseList ¶
ParseList parses a comma separated list of values. Commas are ignored in quoted strings. Quoted values are not unescaped or unquoted. Whitespace is trimmed.
func ParseTime ¶
ParseTime parses the header as time. The zero value is returned if the header is not present or there is an error parsing the header.
func ParseValueAndParams ¶
ParseValueAndParams parses a comma separated list of values with optional semicolon separated name-value pairs. Content-Type and Content-Disposition headers are in this format.
func SetCSP ¶
SetCSP sets a Content-Security-Policy header.
Most directives require a value. The exceptions are CSPSandbox and CSPBlockAllMixedContent.
Only special values (CSPSource* constants) need to be quoted. Don't add quotes around hosts.
Valid sources:
CSPSource* Hosts example.com, *.example.com, https://example.com Schema data:, blob:, etc. nonce-<val> inline scripts using a cryptographic nonce <hash_algo>-<val> hash of specific script.
Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Example ¶
package main import ( "net/http" "github.com/arp242/utils/httputilx/header2" ) func main() { static := "static.example.com" headers := make(http.Header) header2.SetCSP(headers, header2.CSPArgs{ header2.CSPDefaultSrc: {header2.CSPSourceNone}, header2.CSPScriptSrc: {static}, header2.CSPStyleSrc: {static, header2.CSPSourceUnsafeInline}, header2.CSPFormAction: {header2.CSPSourceSelf}, header2.CSPReportURI: {"/csp"}, }) }
Output:
func SetContentDisposition ¶
func SetContentDisposition(header http.Header, args DispositionArgs) error
SetContentDisposition sets the Content-Disposition header. Any previous value will be overwritten.
https://tools.ietf.org/html/rfc2183 https://tools.ietf.org/html/rfc6266 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
Example ¶
package main import ( "net/http" "github.com/arp242/utils/httputilx/header2" ) func main() { headers := make(http.Header) header2.SetContentDisposition(headers, header2.DispositionArgs{ Type: "image/png", Filename: "foo.png", }) }
Output:
Types ¶
type AcceptSpec ¶
AcceptSpec describes an Accept* header.
func ParseAccept ¶
func ParseAccept(header http.Header, key string) (specs []AcceptSpec)
ParseAccept parses Accept* headers.
type DispositionArgs ¶
DispositionArgs are arguments for SetContentDisposition().