net/http: set nosniff header when serving Error

The Error function is a potential XSS vector if a user can control the error message. For example, an http.FileServer when given a request for this path /<script>alert("xss!")</script> may return a response with a body like this open <script>alert("xss!")</script>: no such file or directory Browsers that sniff the content may interpret this as HTML and execute the script. The nosniff header added by this CL should help, but we should also try santizing the output entirely. Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893 Reviewed-on: https://go-review.googlesource.com/10640Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

net/http: set nosniff header when serving Error
The Error function is a potential XSS vector if a user can control the error message. For example, an http.FileServer when given a request for this path /<script>alert("xss!")</script> may return a response with a body like this open <script>alert("xss!")</script>: no such file or directory Browsers that sniff the content may interpret this as HTML and execute the script. The nosniff header added by this CL should help, but we should also try santizing the output entirely. Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893 Reviewed-on: https://go-review.googlesource.com/10640Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
32166319 · Andrew Gerrand · 70cf7352 · 32166319
Commit 32166319 authored Jun 02, 2015 by Andrew Gerrand
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

server.go src/net/http/server.go +1 -0

No files found.
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -1326,6 +1326,7 @@ func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
 // The error message should be plain text.
 func Error(w ResponseWriter, error string, code int) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(code)
 	fmt.Fprintln(w, error)
 }