Add some basic headers to OSIN provided pages

[simo5]

Use restrictive defaults for basic security hygiene.

[simo5]

@enj PTAL

[enj]

Needs review from @openshift/api-review and @jwforres to make sure this won't break anything.

[enj]

I don't know what half of these mean.

[simo5]

It means I should commit -a --amend it with the code I had locally, before sending half baked code from when I drafted the first write. sigh.

[enj]

Set seems more appropriate than add.

[simo5]

Ok

[enj]

cc @openshift/sig-security

[enj]

@simo5 maps cannot be consts.

++ Building go targets for linux/amd64: cmd/openshift cmd/oc cmd/kubefed cmd/template-service-broker pkg/network/sdn-cni-plugin vendor/github.com/containernetworking/cni/plugins/ipam/host-local vendor/github.com/containernetworking/cni/plugins/main/loopback
# github.com/openshift/origin/pkg/auth/server/headers
pkg/auth/server/headers/headers.go:9: syntax error: unexpected { after top level declaration
pkg/auth/server/headers/headers.go:9: const declaration cannot have type without expression
pkg/auth/server/headers/headers.go:9: missing value in const declaration
[ERROR] PID 105: hack/lib/build/binaries.sh:228: `GOOS=${platform%/*} GOARCH=${platform##*/} go install -pkgdir "${OS_OUTPUT_PKGDIR}/${platform}" -tags "${OS_GOFLAGS_TAGS-} ${!platform_gotags_envvar:-}" -ldflags="${local_ldflags}" "${goflags[@]:+${goflags[@]}}" "${nonstatics[@]}"` exited with status 2.

[tiran]

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options nosniff could be troublesome if applied to image resources. Are default header only applied to HTML sources?

Note: nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.

[simo5]

We do not send images in OSIN afaik, but also that page says:
"Note: nosniff only applies to "script" and "style" types." so I don't think we have a problem.

[tiran]

What about CSP headers, https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ?

We might want to set script src and style src.

[simo5]

Just like for HSTS I am not sure we can set a static CSP because branding may add stuff to pages I think.
But I'll let @enj comment on that

[jwforres]

Yeah customer branding would definitely be an issue here, you would have to make the CSP configurable. Seems outside the scope of this particular PR.

[simo5]

Indeed @jwforres , I am going to make an Issue and we can resolve that in 3.8
CSP sounds like something we may want to share with Web console as far as using a common option when customer needs changes, perhaps.

[php-coder]

Maybe it's better to re-use this code also for #17002 or it's impossible?

[enj]

We should be able to wrap the entire OAuth mux with a handler that adds these headers so we only have to do it in one place.

[simo5]

@php-coder we are adding more headers (namely those to prevent caching) which cannot be added by default to web console because they have a lot of static assets (images/css) that should be cached.

Perhaps we could have acommon set and then wrap it, but OSIN and Webconsole may have differeing opinions and I do not see that much value in sharing a for loop over a constant that may need to differ.

[jwforres]

Yeah I tend to agree with @simo5 on having a separate handler from the console. If we shared I would worry about headers getting added that weren't appropriate in one case or the other. Plus we still intend to split out the console from the master at some point.

[simo5]

@eparis I am goign to add kind/bug to this PR and push it to master as the lack of headers is aguably a bug, as we should always have sent more restrictive ones. However it is a tiny change in behavior so I want your belssing.

handled

[simo5]

/test cmd

[eparis]

please open a BZ so QA looks specifically in this area, then feel free

[simo5]

@eparis we have a BZ, thanks

[simo5]

/test extended_conformance_gce

[simo5]

@cheimes CSP tracked here #17021

[enj]

Just some minor nits.

[enj]

loginURL := *baseURL is the normal way to do this.

[enj]

Same comment.

[enj]

t.Errorf seems more appropriate so that you do not quit the test early.

[enj]

@liggitt PTAL at the headers and dead code that was removed.

addressed

[liggitt]

/approve

[enj]

/lgtm

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt, simo5

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/auth/OWNERS [enj,liggitt]
• test/integration/OWNERS [enj,liggitt]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 17020, 17026, 17000, 17010).