I am currently working on a web application (in golang) which will be used as a main portal for other internal applications (running in docker containers). This web application should simply serve a HTML-Page where a navigation bar is at the top and the rest of the page will be an IFrame. On the navigation bar we have multiple links which will change the source of the IFrame. It is important to know that the links on the navigation bar are dynamically created.
I faced really soon the issue that the Iframe couldn't display the other internal applications because of the Same-Origin-Policy which blocks all content. To workaround this, I thought it might be a good idea to implement my own reverse proxy in golang.
package main
import (
"fmt"
"net/http"
"net/http/httputil"
"net/url"
)
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "<html><body><iframe src=\"/\" width=\"100%\" height=\"100%\"/></body></html>")
}
func proxyHandle(r *http.Request) {
r.Host = "google.com"
r.URL.Host = r.Host
r.URL.Scheme = "http"
}
func main() {
proxy := httputil.NewSingleHostReverseProxy(&url.URL{
Scheme: "http",
Host: "google.com",
})
proxy.Director = proxyHandle
http.Handle("/", proxy)
http.HandleFunc("/index", handler)
http.ListenAndServe(":8080", nil)
}
I still get the SOP error message. I basically have now two questions:
After some investigation with fiddler I was able to find out that the specified address (http://google.com) sends a redirect-response back. The transaction was basically like this:
Client -> MyProxy -> RealWebsite
Client <- Myproxy <- RealWebsite: Location https://www.google.com
Client -> https://www.google.com
Therefore, the Client tried to open "https://www.google.com" within the IFrame which has a conflict with the same-origin-policy. After some research I found this github issue. It seems like the golang Reverse Proxy doesn't transform the "Location"-Header (which is a redirect).
I could now rewrite the Location-Header but I decided to use an existing reverse proxy (nginx).