diff options
| author | Mike Samuel <mikesamuel@gmail.com> | 2018-01-23 14:27:47 -0500 |
|---|---|---|
| committer | Brad Fitzpatrick <bradfitz@golang.org> | 2018-04-10 16:42:54 +0000 |
| commit | 1a677e03c827b7b1ab2008be2a8f340fb072531c (patch) | |
| tree | 4cbae3221c0273845f65139b2a982f874ed5dde6 /src/cmd/trace/trace_unix_test.go | |
| parent | c3cb44fdef04d87d4c19b5114748e625a95b9b40 (diff) | |
| download | go-git-1a677e03c827b7b1ab2008be2a8f340fb072531c.tar.gz | |
net/http: don't sniff Content-type in Server when X-Content-Type-Options:nosniff
The docs for ResponseWriter.Write say
// If the Header
// does not contain a Content-Type line, Write adds a Content-Type set
// to the result of passing the initial 512 bytes of written data to
// DetectContentType.
The header X-Content-Type-Options:nosniff is an explicit directive that
content-type should not be sniffed.
This changes the behavior of Response.WriteHeader so that, when
there is an X-Content-Type-Options:nosniff header, but there is
no Content-type header, the following happens:
1. A Content-type:application/octet-stream is added
2. A warning is logged via the server's logging mechanism.
Previously, a content-type would have been silently added based on
heuristic analysis of the first 512B which might allow a hosted
GIF like http://www.thinkfu.com/blog/gifjavascript-polyglots to be
categorized as JavaScript which might allow a CSP bypass, loading
as a script despite `Content-Security-Policy: script-src 'self' `.
----
https://fetch.spec.whatwg.org/#x-content-type-options-header
defines the X-Content-Type-Options header.
["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf)
explains Polyglot attacks in more detail.
Change-Id: I2c8800d2e4b4d10d9e08a0e3e5b20334a75f03c0
Reviewed-on: https://go-review.googlesource.com/89275
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/cmd/trace/trace_unix_test.go')
0 files changed, 0 insertions, 0 deletions