sniffing: Implement handling of the X-Content-Type-Options header

2 files changed, 24 insertions, 1 deletions

diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index e16658ba..6dec3e30 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -477,6 +477,7 @@ soup_content_sniffer_real_sniff (SoupContentSniffer *sniffer, SoupMessage *msg,
 				 SoupBuffer *buffer, GHashTable **params)
 {
 	const char *content_type;
+	const char *x_content_type_options;
 
 	content_type = soup_message_headers_get_content_type (msg->response_headers, params);
 
@@ -489,7 +490,10 @@ soup_content_sniffer_real_sniff (SoupContentSniffer *sniffer, SoupMessage *msg,
 	    !g_ascii_strcasecmp (content_type, "*/*"))
 		return sniff_unknown (sniffer, buffer, FALSE);
 
-	/* TODO: 2. no-sniff flag handling. */
+	/* 2. If nosniff is specified in X-Content-Type-Options use the supplied MIME type. */
+	x_content_type_options = soup_message_headers_get_one (msg->response_headers, "X-Content-Type-Options");
+	if (!g_strcmp0 (x_content_type_options, "nosniff"))
+		return g_strdup (content_type);
 
 	/* 3. check-for-apache-bug */
 	if ((content_type != NULL) &&
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index b668f403..a8bc3ffc 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -49,6 +49,20 @@ server_callback (SoupServer *server, SoupMessage *msg,
 					     "Content-Type", "text/plain");
 	}
 
+	if (g_str_has_prefix (path, "/nosniff/")) {
+		char *base_name = g_path_get_basename (path);
+
+		response = soup_test_load_resource (base_name, &error);
+		g_assert_no_error (error);
+		g_free (base_name);
+
+		soup_message_headers_append (msg->response_headers,
+					     "X-Content-Type-Options", "nosniff");
+
+		soup_message_headers_append (msg->response_headers,
+					     "Content-Type", "no/sniffing-allowed");
+	}
+
 	if (g_str_has_prefix (path, "/text_or_binary/") || g_str_has_prefix (path, "/apache_bug/")) {
 		char *base_name = g_path_get_basename (path);
 
@@ -450,6 +464,11 @@ main (int argc, char **argv)
 			      "/apache_bug/text.txt => text/plain",
 			      do_sniffing_test);
 
+	/* X-Content-Type-Options: nosniff */
+	g_test_add_data_func ("/sniffing/nosniff",
+			      "nosniff/home.gif => no/sniffing-allowed",
+			      do_sniffing_test);
+
 	/* GIF is a 'safe' type */
 	g_test_add_data_func ("/sniffing/type/gif",
 			      "text_or_binary/home.gif => image/gif",