fix: fixing CORS headers only if sslstrip is enabled (fixes #543)

Gopkg.lock

@@ -60,11 +60,11 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:c8bc90a7d67587dda6b8a90e570c411874fa01117eb383527c5e36d4fae5158a"
+  digest = "1:6b01d6818554363a129a2504033feacdfd8b9ddba998831fa57781eb90e60f32"
   name = "github.com/bettercap/recording"
   packages = ["."]
   pruneopts = "UT"
-  revision = "1396b95921b3cc1cb1cee3280c7f6be6c7f06b06"
+  revision = "3ce1dcf032e391eb321311b34cdf31c6fc9523f5"
 
 [[projects]]
   branch = "master"

modules/http_proxy/http_proxy_base_filters.go

@@ -52,25 +52,6 @@ func (p *HTTPProxy) onRequestFilter(req *http.Request, ctx *goproxy.ProxyCtx) (*
 	return req, nil
 }
 
-func (p *HTTPProxy) fixResponseHeaders(res *http.Response) {
-	res.Header.Del("Content-Security-Policy-Report-Only")
-	res.Header.Del("Content-Security-Policy")
-	res.Header.Del("Strict-Transport-Security")
-	res.Header.Del("Public-Key-Pins")
-	res.Header.Del("Public-Key-Pins-Report-Only")
-	res.Header.Del("X-Frame-Options")
-	res.Header.Del("X-Content-Type-Options")
-	res.Header.Del("X-WebKit-CSP")
-	res.Header.Del("X-Content-Security-Policy")
-	res.Header.Del("X-Download-Options")
-	res.Header.Del("X-Permitted-Cross-Domain-Policies")
-	res.Header.Del("X-Xss-Protection")
-	res.Header.Set("Allow-Access-From-Same-Origin", "*")
-	res.Header.Set("Access-Control-Allow-Origin", "*")
-	res.Header.Set("Access-Control-Allow-Methods", "*")
-	res.Header.Set("Access-Control-Allow-Headers", "*")
-}
-
 func (p *HTTPProxy) getHeader(res *http.Response, header string) string {
 	header = strings.ToLower(header)
 	for name, values := range res.Header {
@@ -128,8 +109,6 @@ func (p *HTTPProxy) onResponseFilter(res *http.Response, ctx *goproxy.ProxyCtx)
 	if p.shouldProxy(res.Request) {
 		p.Debug("> %s %s %s%s", res.Request.RemoteAddr, res.Request.Method, res.Request.Host, res.Request.URL.Path)
 
-		p.fixResponseHeaders(res)
-
 		p.stripper.Process(res, ctx)
 
 		// do we have a proxy script?

modules/http_proxy/http_proxy_base_sslstriper.go

@@ -283,11 +283,32 @@ func (s *SSLStripper) isMaxRedirs(hostname string) bool {
 	return false
 }
 
+func (s *SSLStripper) fixResponseHeaders(res *http.Response) {
+	res.Header.Del("Content-Security-Policy-Report-Only")
+	res.Header.Del("Content-Security-Policy")
+	res.Header.Del("Strict-Transport-Security")
+	res.Header.Del("Public-Key-Pins")
+	res.Header.Del("Public-Key-Pins-Report-Only")
+	res.Header.Del("X-Frame-Options")
+	res.Header.Del("X-Content-Type-Options")
+	res.Header.Del("X-WebKit-CSP")
+	res.Header.Del("X-Content-Security-Policy")
+	res.Header.Del("X-Download-Options")
+	res.Header.Del("X-Permitted-Cross-Domain-Policies")
+	res.Header.Del("X-Xss-Protection")
+	res.Header.Set("Allow-Access-From-Same-Origin", "*")
+	res.Header.Set("Access-Control-Allow-Origin", "*")
+	res.Header.Set("Access-Control-Allow-Methods", "*")
+	res.Header.Set("Access-Control-Allow-Headers", "*")
+}
+
 func (s *SSLStripper) Process(res *http.Response, ctx *goproxy.ProxyCtx) {
 	if !s.enabled {
 		return
 	}
 
+	s.fixResponseHeaders(res)
+
 	// is the server redirecting us?
 	if res.StatusCode != 200 {
 		// extract Location header