Rework the order of ResponseWriter.Header and ResponseWriter.WriteHeader

Author: parkr

cors/cors.go

@@ -31,12 +31,18 @@ type corsHandler struct {
 // ServeHTTP adds CORS headers.
 func (c corsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.Method == http.MethodOptions {
-		w.WriteHeader(http.StatusNoContent)
+		// According to the documentation for ResponseWriter.WriteHeader and
+		// ResponseWriter.Header, modifications to the Header must happen BEFORE
+		// any call to WriteHeader. That means it should be, in order:
+		// 1. Write all your Headers
+		// 2. Call WriteHeader to set your status
+		// 3. Write to the body
 		c.addCORSHeaders(w, r)
+		w.WriteHeader(http.StatusNoContent)
 		return
 	}
-	c.next.ServeHTTP(w, r)
 	c.addCORSHeaders(w, r)
+	c.next.ServeHTTP(w, r)
 }
 
 func (c corsHandler) addCORSHeaders(w http.ResponseWriter, r *http.Request) {

dnt/do_not_track.go

@@ -25,8 +25,9 @@ type dntMiddleware struct {
 
 func (d dntMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if RequestsDoNotTrack(r) {
-		w.WriteHeader(http.StatusNoContent)
 		SetDoNotTrack(w)
+		// Note: All w.Header() modifications must be made BEFORE this call.
+		w.WriteHeader(http.StatusNoContent)
 		return
 	}
 	d.nextHandler.ServeHTTP(w, r)

jsv1/version1.go

@@ -10,16 +10,17 @@ const returnedJavaScript = "(function(){})();"
 const lengthOfJavaScript = "17"
 
 func Write(w http.ResponseWriter, code int) {
-	w.WriteHeader(code)
 	w.Header().Set("Content-Type", "application/javascript")
 	w.Header().Set("Content-Length", lengthOfJavaScript)
+
 	fmt.Fprintf(w, returnedJavaScript)
 }
 
 func Error(w http.ResponseWriter, code int, err string) {
-	w.WriteHeader(code)
 	content := fmt.Sprintf(`(function(){console.error("%s")})();`, err)
 	w.Header().Set("Content-Type", "application/javascript")
 	w.Header().Set("Content-Length", strconv.Itoa(len(content)))
+	// Note: All w.Header() modifications must be made BEFORE this call.
+	w.WriteHeader(code)
 	fmt.Fprintf(w, content)
 }

jsv2/version2.go

@@ -37,8 +37,9 @@ function logVisit(document) {
 `
 
 func Write(w http.ResponseWriter, code int) {
-	w.WriteHeader(code)
 	w.Header().Set("Content-Type", "application/javascript")
 	w.Header().Set("Content-Length", strconv.Itoa(len(returnedJavaScript)))
+	// Note: All w.Header() modifications must be made BEFORE this call.
+	w.WriteHeader(code)
 	fmt.Fprintf(w, returnedJavaScript)
 }

ping.go

@@ -1,7 +1,6 @@
 package ping
 
 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
@@ -36,12 +35,6 @@ func parseReferer(referer string) (*url.URL, error) {
 	return url.Parse(referer)
 }
 
-func jsonError(w http.ResponseWriter, statusCode int, message string) {
-	w.WriteHeader(statusCode)
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(map[string]string{"error": message})
-}
-
 // ping routes to pingv1 or pingv2 depending on the version code in the form.
 func ping(w http.ResponseWriter, r *http.Request) {
 	version := r.FormValue("v")

utils.go

@@ -2,7 +2,6 @@ package ping
 
 import (
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"strings"
 )
@@ -11,12 +10,19 @@ func writeJsonResponse(w http.ResponseWriter, input interface{}) {
 	w.Header().Set("Content-Type", "application/json")
 	data, err := json.Marshal(input)
 	if err != nil {
-		fmt.Fprintf(w, `{"error":"json, `+err.Error()+`"}`)
+		jsonError(w, http.StatusInternalServerError, err.Error())
 	} else {
 		w.Write(data)
 	}
 }
 
+func jsonError(w http.ResponseWriter, statusCode int, message string) {
+	w.Header().Set("Content-Type", "application/json")
+	// Note: All w.Header() modifications must be made BEFORE this call.
+	w.WriteHeader(statusCode)
+	json.NewEncoder(w).Encode(map[string]string{"error": message})
+}
+
 func sanitizeUserInput(input string) string {
 	escapedInput := strings.ReplaceAll(input, "\n", "")
 	escapedInput = strings.ReplaceAll(escapedInput, "\r", "")