• Andrew Bonventre's avatar
    net/http/pprof: harden handler responses · baa46bcf
    Andrew Bonventre authored
    A very small number of old browsers consider content as HTML
    even when it is explicitly stated in the Content-Type header
    that it is not. If content served is based on user-supplied
    input, then an XSS is possible. Introduce three mitigations:
    
    + Don't reflect user input in error strings
    + Set a Content-Disposition header when requesting a resource
      that should never be displayed in a browser window
    + Set X-Content-Type-Options: nosniff on all responses
    
    Change-Id: I81c9d6736e0439ebd1db99cd7fb701cc56d24805
    Reviewed-on: https://go-review.googlesource.com/102318
    Run-TryBot: Andrew Bonventre <andybons@golang.org>
    Reviewed-by: 's avatarFilippo Valsorda <filippo@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    baa46bcf
pprof_test.go 2.45 KB