Roberto Clapis
Roberto Clapis
Currently we install the htmlxsrf protection by default, we should provide a way to use the Angular one instead.
# CORP `Cross-Origin-Resource-Policy` needs to be set to same-origin on all responses that are not protected by the CORS plugin (those should get a cross-origin value instead). There should be...
Currently we mandate people to use `http.ServeMux`, but we might want to think about a way to allow people to use their own routers.
This is important for XSRF double-submit cookies and for other [potential non-security related breakages](https://drupal.stackexchange.com/questions/25271/what-does-the-vary-cookie-header-actually-do-for-serving-pages-from-varnish). Note: we cannot claim `Vary` but we should just add the value.
It is currently possible to use the default dispatcher to write JSON, templated HTML and static HTML. It would be beneficial to add one more type to allow text/plain strings...
See design [here](https://github.com/golang/go/issues/42166)
This is just some comments from an initial general review # Package structure Packages should be named after their functions but the directory tree should reflect dependencies. The overlord/interests package...
We'll eventually like to update the language version, and when we do we should advance to a version that has generics. We should then assess places that could be improved...
All builtin plugin packages should have exemptions in separate ones to ease bancheck or similar tools integrations. I did this in #341 for csp, fetchmetadata and framing by creating the...