-
Andrew Bonventre authored
A very small number of old browsers consider content as HTML even when it is explicitly stated in the Content-Type header that it is not. If content served is based on user-supplied input, then an XSS is possible. Introduce three mitigations: + Don't reflect user input in error strings + Set a Content-Disposition header when requesting a resource that should never be displayed in a browser window + Set X-Content-Type-Options: nosniff on all responses Change-Id: I81c9d6736e0439ebd1db99cd7fb701cc56d24805 Reviewed-on: https://go-review.googlesource.com/102318 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
baa46bcf