secure icon indicating copy to clipboard operation
secure copied to clipboard
verified publisher icon martini-contrib

Capitalize "X-Xss-Protection:" -> "X-XSS-Protection:"

Open jf opened this issue 10 years ago • 5 comments

I'm not so sure about the support for the current capitalization now (X-Xss-Protection) in the various browsers; I think it shouldnt be a problem if we trust them to follow the HTTP spec properly (HTTP Header names are case-insensitive)... but it'd still be nice to capitalize it properly to X-XSS-Protection:

  1. XSS is an acronym
  2. the README uses X-XSS-Protection as well

jf avatar Jun 18 '15 23:06 jf

Hey! I think I might be missing something here... I just checked the code and it is properly cased: https://github.com/martini-contrib/secure/blob/master/secure.go#L41 Are you seeing this in the code or the output?

unrolled avatar Jun 19 '15 14:06 unrolled

Thanks, Cory. I'm seeing this in the output. There is no middleware before this, and I am updated to the latest commit (de8e19a0490b816696d093388d53f2e1f0c08b7d)

jf avatar Jun 19 '15 14:06 jf

Alright, I dug into this a bit more and heres what I found out. Go canonicalizes the header keys automatically for us (whether we like it or not): https://golang.org/src/net/http/header.go#L166

// CanonicalHeaderKey returns the canonical format of the
// header key s.  The canonicalization converts the first
// letter and any letter following a hyphen to upper case;
// the rest are converted to lowercase.  For example, the
// canonical key for "accept-encoding" is "Accept-Encoding".

unrolled avatar Jun 24 '15 15:06 unrolled

Thanks, Cory! Appreciate you digging into this for me. So what's your verdict on this?

jf avatar Jun 24 '15 17:06 jf

I don't think we can do anything about this. As long as we use Go's Header().Add() function, it'll change our header keys.

unrolled avatar Jun 24 '15 17:06 unrolled