-
Mike Samuel authored
The docs for ResponseWriter.Write say // If the Header // does not contain a Content-Type line, Write adds a Content-Type set // to the result of passing the initial 512 bytes of written data to // DetectContentType. The header X-Content-Type-Options:nosniff is an explicit directive that content-type should not be sniffed. This changes the behavior of Response.WriteHeader so that, when there is an X-Content-Type-Options:nosniff header, but there is no Content-type header, the following happens: 1. A Content-type:application/octet-stream is added 2. A warning is logged via the server's logging mechanism. Previously, a content-type would have been silently added based on heuristic analysis of the first 512B which might allow a hosted GIF like http://www.thinkfu.com/blog/gifjavascript-polyglots to be categorized as JavaScript which might allow a CSP bypass, loading as a script despite `Content-Security-Policy: script-src 'self' `. ---- https://fetch.spec.whatwg.org/#x-content-type-options-header defines the X-Content-Type-Options header. ["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf) explains Polyglot attacks in more detail. Change-Id: I2c8800d2e4b4d10d9e08a0e3e5b20334a75f03c0 Reviewed-on: https://go-review.googlesource.com/89275Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
1a677e03
Name |
Last commit
|
Last update |
---|---|---|
.github | ||
api | ||
doc | ||
lib/time | ||
misc | ||
src | ||
test | ||
.gitattributes | ||
.gitignore | ||
AUTHORS | ||
CONTRIBUTING.md | ||
CONTRIBUTORS | ||
LICENSE | ||
PATENTS | ||
README.md | ||
favicon.ico | ||
robots.txt |