diff options
Diffstat (limited to 'vendor/github.com/gorilla')
| -rw-r--r-- | vendor/github.com/gorilla/csrf/README.md | 2 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/csrf/csrf.go | 2 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/csrf/options.go | 2 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/compress.go | 3 |
4 files changed, 6 insertions, 3 deletions
diff --git a/vendor/github.com/gorilla/csrf/README.md b/vendor/github.com/gorilla/csrf/README.md index 9bcf3f8..daa3c87 100644 --- a/vendor/github.com/gorilla/csrf/README.md +++ b/vendor/github.com/gorilla/csrf/README.md @@ -94,7 +94,7 @@ func ShowSignupForm(w http.ResponseWriter, r *http.Request) { }) // We could also retrieve the token directly from csrf.Token(r) and // set it in the request header - w.Header.Set("X-CSRF-Token", token) - // This is useful if your sending JSON to clients or a front-end JavaScript + // This is useful if you're sending JSON to clients or a front-end JavaScript // framework. } diff --git a/vendor/github.com/gorilla/csrf/csrf.go b/vendor/github.com/gorilla/csrf/csrf.go index 58ffd5b..926be23 100644 --- a/vendor/github.com/gorilla/csrf/csrf.go +++ b/vendor/github.com/gorilla/csrf/csrf.go @@ -115,7 +115,7 @@ type options struct { // }) // // We could also retrieve the token directly from csrf.Token(r) and // // set it in the request header - w.Header.Set("X-CSRF-Token", token) -// // This is useful if your sending JSON to clients or a front-end JavaScript +// // This is useful if you're sending JSON to clients or a front-end JavaScript // // framework. // } // diff --git a/vendor/github.com/gorilla/csrf/options.go b/vendor/github.com/gorilla/csrf/options.go index c644d49..b50ebd4 100644 --- a/vendor/github.com/gorilla/csrf/options.go +++ b/vendor/github.com/gorilla/csrf/options.go @@ -63,7 +63,7 @@ func HttpOnly(h bool) Option { // provide a handler that returns a static HTML file with a HTTP 403 status. By // default a HTTP 403 status and a plain text CSRF failure reason are served. // -// Note that a custom error handler can also access the csrf.Failure(r) +// Note that a custom error handler can also access the csrf.FailureReason(r) // function to retrieve the CSRF validation reason from the request context. func ErrorHandler(h http.Handler) Option { return func(cs *csrf) { diff --git a/vendor/github.com/gorilla/handlers/compress.go b/vendor/github.com/gorilla/handlers/compress.go index 5e140c5..e8345d7 100644 --- a/vendor/github.com/gorilla/handlers/compress.go +++ b/vendor/github.com/gorilla/handlers/compress.go @@ -56,6 +56,9 @@ func (w *compressResponseWriter) Flush() { // CompressHandler gzip compresses HTTP responses for clients that support it // via the 'Accept-Encoding' header. +// +// Compressing TLS traffic may leak the page contents to an attacker if the +// page contains user input: http://security.stackexchange.com/a/102015/12208 func CompressHandler(h http.Handler) http.Handler { return CompressHandlerLevel(h, gzip.DefaultCompression) } |