Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#558 Add add-server-header

version 3.0
open
nobody
5
2014-03-13
2013-01-15
Kai Raven
No

Add add-server-header action for server responses like "add-header" for client requests, to do something like
+add-server-header{X-Frame-Options: SAMEORIGIN}
Otherwise the user must always modify an existing server header with SERVER-HEADER-FILTER in 3.0.19(?)

Discussion

  • Fabian Keil
    Fabian Keil
    2013-01-15

    Thanks for the suggestion.

    I agree that having a +add-server-header{} action wouldn't hurt but don't consider it a priority.

    Note that header filters can already add headers by using \r\n in the replacement text:

    SERVER-HEADER-FILTER: add-x-frame-options Inject an X-Frame-Options server header
    s@^HTTP.*@$0\r\nX-Frame-Options: SAMEORIGIN@

    As far as Privoxy is concerned it's a header modification, but from the client's point of view it's a new header.

    BTW, I briefly tested the filter and the most noticeable effect of adding the header to all responses seems to be that Firefox quickly gets killed after running out of swap space ...

     
  • Kai Raven
    Kai Raven
    2013-01-15

    Great to hear that it can be done via \r\n in SERVER-HEADER-FILTER besides the log-parser output "found_unknown_content: Don't know how to highlight: "Transforming "HTTP/1.1 200 OK" to "HTTP/1.1 200 OK", but that is OK and i think because of "^HTTP.*...$0". But if the server sends X-Frame-Options already (e. g. deny), the header is "X-Frame-Options: SAMEORIGIN, deny" (via HttpFox), so any X-Frame-Options header must be "crunched" before adding the new header. Btw. i have no issues with high CPU or memory load, vanishing swap space...

     
  • Fabian Keil
    Fabian Keil
    2013-01-16

    The privoxy-log-parser.pl complaints can be suppressed with --accept-unknown-messages (now the default in CVS).

    The "X-Frame-Options: SAMEORIGIN, deny" is probably just an incorrect representation of the reality. I'm not familiar with "HttpFox", but the "Live headers" extension has similar issues and can't even be trusted to get the status code right.

    The expected result with an already present X-Frame-Options header would be getting two separate headers. I agree that it would make sense to delete already existing headers and of course it could be done with the same filter.

    It looks like my brief tests with Firefox can't be generalized. Firefox seems to continue to work as expected on most pages but reproducible shows the problem on http://boingboing.net/ which has lots of iframes. Firefox seems to request the iframe URLs several hundred times, increasing the memory footprint with each request until it gets killed.

     
  • Kai Raven
    Kai Raven
    2013-01-17

    Thx for the log-parser option hint. Sorry, i haven't looked in the man page ;)

    Mmh, i have tested boingboing with my main Firefox profile (with a lot of add-ons and modifications in the advanced settings) and with a fresh/default profile over Privoxy - but both with forwarding to Tor and controlled by the same AppArmor profile - and with Opera without restrictions over Privoxy->Tor and found no issues. But imo/for me, one or a few failing sites are not so important.