cors icon indicating copy to clipboard operation
cors copied to clipboard

Published 20 hours ago verified publisher icon gin-contrib

fix get host from req.header

Open liaojianqi opened this issue 6 years ago • 5 comments

liaojianqi avatar Aug 28 '18 02:08 liaojianqi

ref: https://golang.org/pkg/net/http/#Request

        // Header contains the request header fields either received
        // by the server or to be sent by the client.
        //
        // If a server received a request with header lines,
        //
        //	Host: example.com
        //	accept-encoding: gzip, deflate
        //	Accept-Language: en-us
        //	fOO: Bar
        //	foo: two
        //
        // then
        //
        //	Header = map[string][]string{
        //		"Accept-Encoding": {"gzip, deflate"},
        //		"Accept-Language": {"en-us"},
        //		"Foo": {"Bar", "two"},
        //	}
        //
        // For incoming requests, the Host header is promoted to the
        // Request.Host field and removed from the Header map.
        //
        // HTTP defines that header names are case-insensitive. The
        // request parser implements this by using CanonicalHeaderKey,
        // making the first character and any characters following a
        // hyphen uppercase and the rest lowercase.
        //
        // For client requests, certain headers such as Content-Length
        // and Connection are automatically written when needed and
        // values in Header may be ignored. See the documentation
        // for the Request.Write method.
        Header Header

appleboy avatar Aug 28 '18 03:08 appleboy 

// Constants for readRequest's deleteHostHeader parameter.
const (
	deleteHostHeader = true
	keepHostHeader   = false
)

and in readRequest func

	// RFC 7230, section 5.3: Must treat
	//	GET /index.html HTTP/1.1
	//	Host: www.google.com
	// and
	//	GET http://www.google.com/index.html HTTP/1.1
	//	Host: doesntmatter
	// the same. In the second case, any Host line is ignored.
	req.Host = req.URL.Host
	if req.Host == "" {
		req.Host = req.Header.get("Host")
	}
	if deleteHostHeader {
		delete(req.Header, "Host")
	}

appleboy avatar Aug 28 '18 03:08 appleboy

ref: request.go

 218         // For server requests Host specifies the host on which the URL
 219         // is sought. Per RFC 7230, section 5.4, this is either the value
 220         // of the "Host" header or the host name given in the URL itself.
 221         // It may be of the form "host:port". For international domain
 222         // names, Host may be in Punycode or Unicode form. Use
 223         // golang.org/x/net/idna to convert it to either format if
 224         // needed.
 225         // To prevent DNS rebinding attacks, server Handlers should
 226         // validate that the Host header has a value for which the
 227         // Handler considers itself authoritative. The included
 228         // ServeMux supports patterns registered to particular host
 229         // names and thus protects its registered Handlers.
 230         //
 231         // For client requests Host optionally overrides the Host
 232         // header to send. If empty, the Request.Write method uses
 233         // the value of URL.Host. Host may contain an international
 234         // domain name.
 235         Host string

I think you should use Host of Header

thinkerou avatar Aug 28 '18 03:08 thinkerou

ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin Origin: <scheme> "://" <hostname> [ ":" <port> ]

// Per RFC 7230, section 5.4, this is either the value
// of the "Host" header or the host name given in the URL itself.
// It may be of the form "host:port".

Our target is to determine whether the request is same origin. So I think just determine whether the host is same as origin(remove scheme+"://"). Maybe we should use req.Host? BTW, how to use Host of Header in go? it has been removed@thinkerou

liaojianqi avatar Aug 28 '18 07:08 liaojianqi

@liaojianqi please fix the conflicts.

appleboy avatar Dec 23 '18 11:12 appleboy