src/net · 3c3019aa51ece3001139e568d78aef6a2762395f · go / golang

net/http: set nosniff header when serving Error · 32166319

Andrew Gerrand authored Jun 02, 2015

The Error function is a potential XSS vector if a user can control the
error message.

For example, an http.FileServer when given a request for this path
	/<script>alert("xss!")</script>
may return a response with a body like this
	open <script>alert("xss!")</script>: no such file or directory
Browsers that sniff the content may interpret this as HTML and execute
the script. The nosniff header added by this CL should help, but we
should also try santizing the output entirely.

Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893
Reviewed-on: https://go-review.googlesource.com/10640Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

32166319

Name	Last commit	Last update
..
http		Loading commit data...
internal/socktest		Loading commit data...
mail		Loading commit data...
rpc		Loading commit data...
smtp		Loading commit data...
testdata		Loading commit data...
textproto		Loading commit data...
url		Loading commit data...
cgo_android.go		Loading commit data...
cgo_bsd.go		Loading commit data...
cgo_linux.go		Loading commit data...
cgo_netbsd.go		Loading commit data...
cgo_openbsd.go		Loading commit data...
cgo_solaris.go		Loading commit data...
cgo_stub.go		Loading commit data...
cgo_unix.go		Loading commit data...
cgo_unix_test.go		Loading commit data...
cgo_windows.go		Loading commit data...
conf.go		Loading commit data...
conf_test.go		Loading commit data...
conn_test.go		Loading commit data...
dial.go		Loading commit data...
dial_gen.go		Loading commit data...
dial_test.go		Loading commit data...
dnsclient.go		Loading commit data...
dnsclient_test.go		Loading commit data...
dnsclient_unix.go		Loading commit data...
dnsclient_unix_test.go		Loading commit data...
dnsconfig_unix.go		Loading commit data...
dnsconfig_unix_test.go		Loading commit data...
dnsmsg.go		Loading commit data...
dnsmsg_test.go		Loading commit data...
dnsname_test.go		Loading commit data...
error_plan9_test.go		Loading commit data...
error_posix_test.go		Loading commit data...
error_test.go		Loading commit data...
example_test.go		Loading commit data...
external_test.go		Loading commit data...
fd_mutex.go		Loading commit data...
fd_mutex_test.go		Loading commit data...
fd_plan9.go		Loading commit data...
fd_poll_nacl.go		Loading commit data...
fd_poll_runtime.go		Loading commit data...
fd_posix.go		Loading commit data...
fd_posix_test.go		Loading commit data...
fd_unix.go		Loading commit data...
fd_windows.go		Loading commit data...
file.go		Loading commit data...
file_bsd_test.go		Loading commit data...
file_linux_test.go		Loading commit data...
file_plan9.go		Loading commit data...
file_stub.go		Loading commit data...
file_test.go		Loading commit data...
file_unix.go		Loading commit data...
file_windows.go		Loading commit data...
hook.go		Loading commit data...
hook_cloexec.go		Loading commit data...
hook_plan9.go		Loading commit data...
hook_unix.go		Loading commit data...
hook_windows.go		Loading commit data...
hosts.go		Loading commit data...
hosts_test.go		Loading commit data...
interface.go		Loading commit data...
interface_bsd.go		Loading commit data...
interface_bsd_test.go		Loading commit data...
interface_darwin.go		Loading commit data...
interface_dragonfly.go		Loading commit data...
interface_freebsd.go		Loading commit data...
interface_linux.go		Loading commit data...
interface_linux_test.go		Loading commit data...
interface_netbsd.go		Loading commit data...
interface_openbsd.go		Loading commit data...
interface_stub.go		Loading commit data...
interface_test.go		Loading commit data...
interface_unix_test.go		Loading commit data...
interface_windows.go		Loading commit data...
ip.go		Loading commit data...
ip_test.go		Loading commit data...
ipraw_test.go		Loading commit data...
iprawsock.go		Loading commit data...
iprawsock_plan9.go		Loading commit data...
iprawsock_posix.go		Loading commit data...
ipsock.go		Loading commit data...
ipsock_plan9.go		Loading commit data...
ipsock_posix.go		Loading commit data...
ipsock_test.go		Loading commit data...
listen_test.go		Loading commit data...
lookup.go		Loading commit data...
lookup_plan9.go		Loading commit data...
lookup_stub.go		Loading commit data...
lookup_test.go		Loading commit data...
lookup_unix.go		Loading commit data...
lookup_windows.go		Loading commit data...
lookup_windows_test.go		Loading commit data...
mac.go		Loading commit data...
mac_test.go		Loading commit data...
main_cloexec_test.go		Loading commit data...
main_plan9_test.go		Loading commit data...
main_posix_test.go		Loading commit data...
main_test.go		Loading commit data...
main_unix_test.go		Loading commit data...
main_windows_test.go		Loading commit data...
mockserver_test.go		Loading commit data...
net.go		Loading commit data...
net_test.go		Loading commit data...
net_windows_test.go		Loading commit data...
netgo_unix_test.go		Loading commit data...
nss.go		Loading commit data...
nss_test.go		Loading commit data...
packetconn_test.go		Loading commit data...
parse.go		Loading commit data...
parse_test.go		Loading commit data...
pipe.go		Loading commit data...
pipe_test.go		Loading commit data...
platform_test.go		Loading commit data...
port.go		Loading commit data...
port_test.go		Loading commit data...
port_unix.go		Loading commit data...
protoconn_test.go		Loading commit data...
race.go		Loading commit data...
race0.go		Loading commit data...
sendfile_dragonfly.go		Loading commit data...
sendfile_freebsd.go		Loading commit data...
sendfile_linux.go		Loading commit data...
sendfile_solaris.go		Loading commit data...
sendfile_stub.go		Loading commit data...
sendfile_windows.go		Loading commit data...
server_test.go		Loading commit data...
sock_bsd.go		Loading commit data...
sock_cloexec.go		Loading commit data...
sock_linux.go		Loading commit data...
sock_plan9.go		Loading commit data...
sock_posix.go		Loading commit data...
sock_stub.go		Loading commit data...
sock_windows.go		Loading commit data...
sockopt_bsd.go		Loading commit data...
sockopt_linux.go		Loading commit data...
sockopt_plan9.go		Loading commit data...
sockopt_posix.go		Loading commit data...
sockopt_solaris.go		Loading commit data...
sockopt_stub.go		Loading commit data...
sockopt_windows.go		Loading commit data...
sockoptip_bsd.go		Loading commit data...
sockoptip_linux.go		Loading commit data...
sockoptip_posix.go		Loading commit data...
sockoptip_stub.go		Loading commit data...
sockoptip_windows.go		Loading commit data...
sys_cloexec.go		Loading commit data...
tcp_test.go		Loading commit data...
tcpsock.go		Loading commit data...
tcpsock_plan9.go		Loading commit data...
tcpsock_posix.go		Loading commit data...
tcpsockopt_darwin.go		Loading commit data...
tcpsockopt_dragonfly.go		Loading commit data...
tcpsockopt_openbsd.go		Loading commit data...
tcpsockopt_plan9.go		Loading commit data...
tcpsockopt_posix.go		Loading commit data...
tcpsockopt_solaris.go		Loading commit data...
tcpsockopt_stub.go		Loading commit data...
tcpsockopt_unix.go		Loading commit data...
tcpsockopt_windows.go		Loading commit data...
timeout_test.go		Loading commit data...
udp_test.go		Loading commit data...
udpsock.go		Loading commit data...
udpsock_plan9.go		Loading commit data...
udpsock_posix.go		Loading commit data...
unix_test.go		Loading commit data...
unixsock.go		Loading commit data...
unixsock_plan9.go		Loading commit data...
unixsock_posix.go		Loading commit data...