From 429cc20eb7935b3e3f9ee945a130c3b72c63b50d Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@kastelo.net>
Date: Sun, 10 Sep 2017 08:28:12 +0000
Subject: [PATCH] cmd/syncthing: Add some common security releated HTTP headers
 (fixes #4360)

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4361
---
 cmd/syncthing/gui.go           | 25 +++++++++++++++++++++++--
 cmd/syncthing/gui_statics.go   | 12 ++++++------
 lib/config/guiconfiguration.go | 21 +++++++++++----------
 3 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go
index b15881bf..57134d45 100644
--- a/cmd/syncthing/gui.go
+++ b/cmd/syncthing/gui.go
@@ -332,7 +332,7 @@ func (s *apiService) Serve() {
 	}
 
 	// Add the CORS handling
-	handler = corsMiddleware(handler)
+	handler = corsMiddleware(handler, guiCfg.InsecureAllowFrameLoading)
 
 	if addressIsLocalhost(guiCfg.Address()) && !guiCfg.InsecureSkipHostCheck {
 		// Verify source host
@@ -459,7 +459,7 @@ func debugMiddleware(h http.Handler) http.Handler {
 	})
 }
 
-func corsMiddleware(next http.Handler) http.Handler {
+func corsMiddleware(next http.Handler, allowFrameLoading bool) http.Handler {
 	// Handle CORS headers and CORS OPTIONS request.
 	// CORS OPTIONS request are typically sent by browser during AJAX preflight
 	// when the browser initiate a POST request.
@@ -486,6 +486,27 @@ func corsMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
+		// Other security related headers that should be present.
+		// https://www.owasp.org/index.php/Security_Headers
+
+		if !allowFrameLoading {
+			// We don't want to be rendered in an <iframe>,
+			// <frame> or <object>. (Unless we do it ourselves.
+			// This is also an escape hatch for people who serve
+			// Syncthing GUI as part of their own website
+			// through a proxy, so they don't need to set the
+			// allowFrameLoading bool.)
+			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+		}
+
+		// If the browser senses an XSS attack it's allowed to take
+		// action. (How this would not always be the default I
+		// don't fully understand.)
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+
+		// Our content type headers are correct. Don't guess.
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
 		// For everything else, pass to the next handler
 		next.ServeHTTP(w, r)
 		return
diff --git a/cmd/syncthing/gui_statics.go b/cmd/syncthing/gui_statics.go
index 745faf1a..b3046b6b 100644
--- a/cmd/syncthing/gui_statics.go
+++ b/cmd/syncthing/gui_statics.go
@@ -141,17 +141,17 @@ func (s *staticsServer) serveThemes(w http.ResponseWriter, r *http.Request) {
 func (s *staticsServer) mimeTypeForFile(file string) string {
 	// We use a built in table of the common types since the system
 	// TypeByExtension might be unreliable. But if we don't know, we delegate
-	// to the system.
+	// to the system. All our files are UTF-8.
 	ext := filepath.Ext(file)
 	switch ext {
 	case ".htm", ".html":
-		return "text/html"
+		return "text/html; charset=utf-8"
 	case ".css":
-		return "text/css"
+		return "text/css; charset=utf-8"
 	case ".js":
-		return "application/javascript"
+		return "application/javascript; charset=utf-8"
 	case ".json":
-		return "application/json"
+		return "application/json; charset=utf-8"
 	case ".png":
 		return "image/png"
 	case ".ttf":
@@ -159,7 +159,7 @@ func (s *staticsServer) mimeTypeForFile(file string) string {
 	case ".woff":
 		return "application/x-font-woff"
 	case ".svg":
-		return "image/svg+xml"
+		return "image/svg+xml; charset=utf-8"
 	default:
 		return mime.TypeByExtension(ext)
 	}
diff --git a/lib/config/guiconfiguration.go b/lib/config/guiconfiguration.go
index 63c5a934..7e87bf39 100644
--- a/lib/config/guiconfiguration.go
+++ b/lib/config/guiconfiguration.go
@@ -13,16 +13,17 @@ import (
 )
 
 type GUIConfiguration struct {
-	Enabled               bool   `xml:"enabled,attr" json:"enabled" default:"true"`
-	RawAddress            string `xml:"address" json:"address" default:"127.0.0.1:8384"`
-	User                  string `xml:"user,omitempty" json:"user"`
-	Password              string `xml:"password,omitempty" json:"password"`
-	RawUseTLS             bool   `xml:"tls,attr" json:"useTLS"`
-	APIKey                string `xml:"apikey,omitempty" json:"apiKey"`
-	InsecureAdminAccess   bool   `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"`
-	Theme                 string `xml:"theme" json:"theme" default:"default"`
-	Debugging             bool   `xml:"debugging,attr" json:"debugging"`
-	InsecureSkipHostCheck bool   `xml:"insecureSkipHostcheck,omitempty" json:"insecureSkipHostcheck"`
+	Enabled                   bool   `xml:"enabled,attr" json:"enabled" default:"true"`
+	RawAddress                string `xml:"address" json:"address" default:"127.0.0.1:8384"`
+	User                      string `xml:"user,omitempty" json:"user"`
+	Password                  string `xml:"password,omitempty" json:"password"`
+	RawUseTLS                 bool   `xml:"tls,attr" json:"useTLS"`
+	APIKey                    string `xml:"apikey,omitempty" json:"apiKey"`
+	InsecureAdminAccess       bool   `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"`
+	Theme                     string `xml:"theme" json:"theme" default:"default"`
+	Debugging                 bool   `xml:"debugging,attr" json:"debugging"`
+	InsecureSkipHostCheck     bool   `xml:"insecureSkipHostcheck,omitempty" json:"insecureSkipHostcheck"`
+	InsecureAllowFrameLoading bool   `xml:"insecureAllowFrameLoading,omitempty" json:"insecureAllowFrameLoading"`
 }
 
 func (c GUIConfiguration) Address() string {