From 4108407c6664b6f22a5ccf8eb864b656595499e9 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Mon, 28 Oct 2019 15:25:17 -0400
Subject: [PATCH] 15606: Add error message and doc link to XSS protection
 error.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---
 doc/install/install-keep-web.html.textile.liquid | 2 +-
 services/keep-web/handler.go                     | 2 +-
 services/keep-web/handler_test.go                | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 902ced0372..a8833f44da 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -100,7 +100,7 @@ server {
 If you restrict access to your Arvados services based on network topology -- for example, your proxy server is not reachable from the public internet -- additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the "'Intranet mode' section of the Keep-web documentation":https://godoc.org/github.com/curoverse/arvados/services/keep-web#hdr-Intranet_mode now.
 {% include 'notebox_end' %}
 
-h3. Configure DNS
+h3(#dns). Configure DNS
 
 Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
 * @download.uuid_prefix.your.domain@
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index b4fe1bd400..728fdb0a35 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -733,7 +733,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 			// into a cookie unless the current vhost
 			// (origin) serves only a single collection or
 			// we are in TrustAllContent mode.
-			w.WriteHeader(http.StatusBadRequest)
+			http.Error(w, "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)", http.StatusBadRequest)
 			return
 		}
 
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 34333d4342..aefd0fd08d 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -349,7 +349,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check
 		"",
 		"",
 		http.StatusBadRequest,
-		"",
+		"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
 	)
 }
 
@@ -424,7 +424,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *chec
 		"",
 		"",
 		http.StatusBadRequest,
-		"",
+		"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
 	)
 
 	resp := s.testVhostRedirectTokenToCookie(c, "GET",
-- 
2.39.5