• Andrew Gerrand's avatar
    net/http: set nosniff header when serving Error · 32166319
    Andrew Gerrand authored
    The Error function is a potential XSS vector if a user can control the
    error message.
    
    For example, an http.FileServer when given a request for this path
    	/<script>alert("xss!")</script>
    may return a response with a body like this
    	open <script>alert("xss!")</script>: no such file or directory
    Browsers that sniff the content may interpret this as HTML and execute
    the script. The nosniff header added by this CL should help, but we
    should also try santizing the output entirely.
    
    Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893
    Reviewed-on: https://go-review.googlesource.com/10640Reviewed-by: 's avatarBrad Fitzpatrick <bradfitz@golang.org>
    32166319
server.go 61.8 KB