add permissionsPolicy and deprecate featurePolicy

This commit is contained in:
Wei Lun 2021-06-21 21:16:13 +08:00 committed by GitHub
parent cf0759a48f
commit dca348359b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 42 additions and 11 deletions

View file

@ -111,6 +111,7 @@
"SA1019: cfg.SSLTemporaryRedirect is deprecated", "SA1019: cfg.SSLTemporaryRedirect is deprecated",
"SA1019: cfg.SSLHost is deprecated", "SA1019: cfg.SSLHost is deprecated",
"SA1019: cfg.SSLForceHost is deprecated", "SA1019: cfg.SSLForceHost is deprecated",
"SA1019: cfg.FeaturePolicy is deprecated",
] ]
[[issues.exclude-rules]] [[issues.exclude-rules]]
path = "(.+)_test.go" path = "(.+)_test.go"

View file

@ -435,8 +435,16 @@ The `referrerPolicy` allows sites to control whether browsers forward the `Refer
### `featurePolicy` ### `featurePolicy`
!!! warning
Deprecated in favor of `permissionsPolicy`
The `featurePolicy` allows sites to control browser features. The `featurePolicy` allows sites to control browser features.
### `permissionsPolicy`
The `permissionsPolicy` allows sites to control browser features.
### `isDevelopment` ### `isDevelopment`
Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options. Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.

2
go.mod
View file

@ -75,7 +75,7 @@ require (
github.com/uber/jaeger-client-go v2.29.1+incompatible github.com/uber/jaeger-client-go v2.29.1+incompatible
github.com/uber/jaeger-lib v2.2.0+incompatible github.com/uber/jaeger-lib v2.2.0+incompatible
github.com/unrolled/render v1.0.2 github.com/unrolled/render v1.0.2
github.com/unrolled/secure v1.0.7 github.com/unrolled/secure v1.0.9
github.com/vdemeester/shakers v0.1.0 github.com/vdemeester/shakers v0.1.0
github.com/vulcand/oxy v1.3.0 github.com/vulcand/oxy v1.3.0
github.com/vulcand/predicate v1.1.0 github.com/vulcand/predicate v1.1.0

8
go.sum
View file

@ -181,8 +181,6 @@ github.com/cloudflare/cloudflare-go v0.14.0/go.mod h1:EnwdgGMaFOruiPZRFSgn+TsQ3h
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd h1:qMd81Ts1T2OTKmB4acZcyKaMtRnY5Y44NuXGX2GFJ1w= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd h1:qMd81Ts1T2OTKmB4acZcyKaMtRnY5Y44NuXGX2GFJ1w=
github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
github.com/codegangsta/negroni v1.0.0 h1:+aYywywx4bnKXWvoWtRfJ91vC59NbEhEY03sZjQhbVY=
github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
@ -1026,13 +1024,15 @@ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGr
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/unrolled/render v1.0.2 h1:dGS3EmChQP3yOi1YeFNO/Dx+MbWZhdvhQJTXochM5bs= github.com/unrolled/render v1.0.2 h1:dGS3EmChQP3yOi1YeFNO/Dx+MbWZhdvhQJTXochM5bs=
github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM= github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
github.com/unrolled/secure v1.0.7 h1:BcQHp3iKZyZCKj5gRqwQG+5urnGBF00wGgoPPwtheVQ= github.com/unrolled/secure v1.0.9 h1:BWRuEb1vDrBFFDdbCnKkof3gZ35I/bnHGyt0LB0TNyQ=
github.com/unrolled/secure v1.0.7/go.mod h1:uGc1OcRF8gCVBA+ANksKmvM85Hka6SZtQIbrKc3sHS4= github.com/unrolled/secure v1.0.9/go.mod h1:fO+mEan+FLB0CdEnHf6Q4ZZVNqG+5fuLFnP8p0BXDPI=
github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc=
github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=

View file

@ -34,7 +34,7 @@
[http.middlewares] [http.middlewares]
[http.middlewares.secure.headers] [http.middlewares.secure.headers]
featurePolicy = "vibrate 'none';" permissionsPolicy = "microphone=(),"
[http.services] [http.services]
[http.services.service1.loadBalancer] [http.services.service1.loadBalancer]

View file

@ -137,9 +137,9 @@ func (s *HeadersSuite) TestSecureHeadersResponses(c *check.C) {
internalReqHost string internalReqHost string
}{ }{
{ {
desc: "Feature-Policy Set", desc: "Permissions-Policy Set",
expected: http.Header{ expected: http.Header{
"Feature-Policy": {"vibrate 'none';"}, "Permissions-Policy": {"microphone=(),"},
}, },
reqHost: "test.localhost", reqHost: "test.localhost",
internalReqHost: "internal.localhost", internalReqHost: "internal.localhost",
@ -185,7 +185,7 @@ func (s *HeadersSuite) TestMultipleSecureHeadersResponses(c *check.C) {
reqHost string reqHost string
}{ }{
{ {
desc: "Feature-Policy Set", desc: "Multiple Secure Headers Set",
expected: http.Header{ expected: http.Header{
"X-Frame-Options": {"DENY"}, "X-Frame-Options": {"DENY"},
"X-Content-Type-Options": {"nosniff"}, "X-Content-Type-Options": {"nosniff"},

View file

@ -226,6 +226,7 @@ func TestDo_dynamicConfiguration(t *testing.T) {
PublicKey: "foo", PublicKey: "foo",
ReferrerPolicy: "foo", ReferrerPolicy: "foo",
FeaturePolicy: "foo", FeaturePolicy: "foo",
PermissionsPolicy: "foo",
IsDevelopment: true, IsDevelopment: true,
}, },
Errors: &dynamic.ErrorPage{ Errors: &dynamic.ErrorPage{

View file

@ -178,6 +178,7 @@
"publicKey": "xxxx", "publicKey": "xxxx",
"referrerPolicy": "foo", "referrerPolicy": "foo",
"featurePolicy": "foo", "featurePolicy": "foo",
"permissionsPolicy": "foo",
"isDevelopment": true "isDevelopment": true
}, },
"errors": { "errors": {

View file

@ -185,7 +185,9 @@ type Headers struct {
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"` ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"` PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"` ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
// Deprecated: use PermissionsPolicy instead.
FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"` FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"` IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
} }
@ -229,6 +231,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
h.PublicKey != "" || h.PublicKey != "" ||
h.ReferrerPolicy != "" || h.ReferrerPolicy != "" ||
h.FeaturePolicy != "" || h.FeaturePolicy != "" ||
h.PermissionsPolicy != "" ||
h.IsDevelopment) h.IsDevelopment)
} }

View file

@ -68,6 +68,7 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.middlewares.Middleware8.headers.publickey": "foobar", "traefik.http.middlewares.Middleware8.headers.publickey": "foobar",
"traefik.http.middlewares.Middleware8.headers.referrerpolicy": "foobar", "traefik.http.middlewares.Middleware8.headers.referrerpolicy": "foobar",
"traefik.http.middlewares.Middleware8.headers.featurepolicy": "foobar", "traefik.http.middlewares.Middleware8.headers.featurepolicy": "foobar",
"traefik.http.middlewares.Middleware8.headers.permissionspolicy": "foobar",
"traefik.http.middlewares.Middleware8.headers.sslforcehost": "true", "traefik.http.middlewares.Middleware8.headers.sslforcehost": "true",
"traefik.http.middlewares.Middleware8.headers.sslhost": "foobar", "traefik.http.middlewares.Middleware8.headers.sslhost": "foobar",
"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0": "foobar", "traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0": "foobar",
@ -580,6 +581,7 @@ func TestDecodeConfiguration(t *testing.T) {
PublicKey: "foobar", PublicKey: "foobar",
ReferrerPolicy: "foobar", ReferrerPolicy: "foobar",
FeaturePolicy: "foobar", FeaturePolicy: "foobar",
PermissionsPolicy: "foobar",
IsDevelopment: true, IsDevelopment: true,
}, },
}, },
@ -1063,6 +1065,7 @@ func TestEncodeConfiguration(t *testing.T) {
PublicKey: "foobar", PublicKey: "foobar",
ReferrerPolicy: "foobar", ReferrerPolicy: "foobar",
FeaturePolicy: "foobar", FeaturePolicy: "foobar",
PermissionsPolicy: "foobar",
IsDevelopment: true, IsDevelopment: true,
}, },
}, },
@ -1204,6 +1207,7 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey": "foobar", "traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey": "foobar",
"traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy": "foobar", "traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy": "foobar",
"traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy": "foobar", "traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy": "foobar",
"traefik.HTTP.Middlewares.Middleware8.Headers.PermissionsPolicy": "foobar",
"traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost": "true", "traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost": "true",
"traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost": "foobar", "traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost": "foobar",
"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0": "foobar", "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0": "foobar",

View file

@ -30,6 +30,9 @@ func handleDeprecation(ctx context.Context, cfg *dynamic.Headers) {
if cfg.SSLForceHost { if cfg.SSLForceHost {
log.FromContext(ctx).Warn("SSLForceHost is deprecated, please use RedirectScheme middleware instead.") log.FromContext(ctx).Warn("SSLForceHost is deprecated, please use RedirectScheme middleware instead.")
} }
if cfg.FeaturePolicy != "" {
log.FromContext(ctx).Warn("FeaturePolicy is deprecated, please use PermissionsPolicy header instead.")
}
} }
type headers struct { type headers struct {

View file

@ -37,6 +37,7 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
SSLProxyHeaders: cfg.SSLProxyHeaders, SSLProxyHeaders: cfg.SSLProxyHeaders,
STSSeconds: cfg.STSSeconds, STSSeconds: cfg.STSSeconds,
FeaturePolicy: cfg.FeaturePolicy, FeaturePolicy: cfg.FeaturePolicy,
PermissionsPolicy: cfg.PermissionsPolicy,
SecureContextKey: contextKey, SecureContextKey: contextKey,
} }

View file

@ -130,6 +130,13 @@ func Test_newSecure_modifyResponse(t *testing.T) {
}, },
expected: http.Header{"Feature-Policy": []string{"vibrate 'none';"}}, expected: http.Header{"Feature-Policy": []string{"vibrate 'none';"}},
}, },
{
desc: "PermissionsPolicy",
cfg: dynamic.Headers{
PermissionsPolicy: "microphone=(),",
},
expected: http.Header{"Permissions-Policy": []string{"microphone=(),"}},
},
{ {
desc: "STSSeconds", desc: "STSSeconds",
cfg: dynamic.Headers{ cfg: dynamic.Headers{

View file

@ -104,6 +104,7 @@ func Test_buildConfiguration(t *testing.T) {
"traefik/http/middlewares/Middleware09/headers/contentTypeNosniff": "true", "traefik/http/middlewares/Middleware09/headers/contentTypeNosniff": "true",
"traefik/http/middlewares/Middleware09/headers/accessControlAllowCredentials": "true", "traefik/http/middlewares/Middleware09/headers/accessControlAllowCredentials": "true",
"traefik/http/middlewares/Middleware09/headers/featurePolicy": "foobar", "traefik/http/middlewares/Middleware09/headers/featurePolicy": "foobar",
"traefik/http/middlewares/Middleware09/headers/permissionsPolicy": "foobar",
"traefik/http/middlewares/Middleware09/headers/forceSTSHeader": "true", "traefik/http/middlewares/Middleware09/headers/forceSTSHeader": "true",
"traefik/http/middlewares/Middleware09/headers/sslRedirect": "true", "traefik/http/middlewares/Middleware09/headers/sslRedirect": "true",
"traefik/http/middlewares/Middleware09/headers/sslHost": "foobar", "traefik/http/middlewares/Middleware09/headers/sslHost": "foobar",
@ -596,6 +597,7 @@ func Test_buildConfiguration(t *testing.T) {
PublicKey: "foobar", PublicKey: "foobar",
ReferrerPolicy: "foobar", ReferrerPolicy: "foobar",
FeaturePolicy: "foobar", FeaturePolicy: "foobar",
PermissionsPolicy: "foobar",
IsDevelopment: true, IsDevelopment: true,
}, },
}, },