src/net · b3a854c733257c5249c3435ffcee194f8439676a · go / golang

net/http: don't sniff Content-type in Server when X-Content-Type-Options:nosniff · 1a677e03

Mike Samuel authored Jan 23, 2018

The docs for ResponseWriter.Write say
// If the Header
// does not contain a Content-Type line, Write adds a Content-Type set
// to the result of passing the initial 512 bytes of written data to
// DetectContentType.

The header X-Content-Type-Options:nosniff is an explicit directive that
content-type should not be sniffed.

This changes the behavior of Response.WriteHeader so that, when
there is an X-Content-Type-Options:nosniff header, but there is
no Content-type header, the following happens:
1.  A Content-type:application/octet-stream is added
2.  A warning is logged via the server's logging mechanism.

Previously, a content-type would have been silently added based on
heuristic analysis of the first 512B which might allow a hosted
GIF like http://www.thinkfu.com/blog/gifjavascript-polyglots to be
categorized as JavaScript which might allow a CSP bypass, loading
as a script despite `Content-Security-Policy: script-src 'self' `.

----

https://fetch.spec.whatwg.org/#x-content-type-options-header
defines the X-Content-Type-Options header.

["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf)
explains Polyglot attacks in more detail.

Change-Id: I2c8800d2e4b4d10d9e08a0e3e5b20334a75f03c0
Reviewed-on: https://go-review.googlesource.com/89275Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

1a677e03

Name	Last commit	Last update
..
http		Loading commit data...
internal/socktest		Loading commit data...
mail		Loading commit data...
rpc		Loading commit data...
smtp		Loading commit data...
testdata		Loading commit data...
textproto		Loading commit data...
url		Loading commit data...
addrselect.go		Loading commit data...
addrselect_test.go		Loading commit data...
cgo_android.go		Loading commit data...
cgo_bsd.go		Loading commit data...
cgo_linux.go		Loading commit data...
cgo_netbsd.go		Loading commit data...
cgo_openbsd.go		Loading commit data...
cgo_resnew.go		Loading commit data...
cgo_resold.go		Loading commit data...
cgo_socknew.go		Loading commit data...
cgo_sockold.go		Loading commit data...
cgo_solaris.go		Loading commit data...
cgo_stub.go		Loading commit data...
cgo_unix.go		Loading commit data...
cgo_unix_test.go		Loading commit data...
cgo_windows.go		Loading commit data...
conf.go		Loading commit data...
conf_netcgo.go		Loading commit data...
conf_test.go		Loading commit data...
conn_test.go		Loading commit data...
dial.go		Loading commit data...
dial_test.go		Loading commit data...
dial_unix_test.go		Loading commit data...
dnsclient.go		Loading commit data...
dnsclient_test.go		Loading commit data...
dnsclient_unix.go		Loading commit data...
dnsclient_unix_test.go		Loading commit data...
dnsconfig_unix.go		Loading commit data...
dnsconfig_unix_test.go		Loading commit data...
dnsname_test.go		Loading commit data...
error_plan9_test.go		Loading commit data...
error_posix.go		Loading commit data...
error_posix_test.go		Loading commit data...
error_test.go		Loading commit data...
error_unix_test.go		Loading commit data...
error_windows_test.go		Loading commit data...
example_test.go		Loading commit data...
external_test.go		Loading commit data...
fd_plan9.go		Loading commit data...
fd_unix.go		Loading commit data...
fd_windows.go		Loading commit data...
file.go		Loading commit data...
file_plan9.go		Loading commit data...
file_stub.go		Loading commit data...
file_test.go		Loading commit data...
file_unix.go		Loading commit data...
file_windows.go		Loading commit data...
hook.go		Loading commit data...
hook_plan9.go		Loading commit data...
hook_unix.go		Loading commit data...
hook_windows.go		Loading commit data...
hosts.go		Loading commit data...
hosts_test.go		Loading commit data...
interface.go		Loading commit data...
interface_bsd.go		Loading commit data...
interface_bsd_test.go		Loading commit data...
interface_bsdvar.go		Loading commit data...
interface_darwin.go		Loading commit data...
interface_freebsd.go		Loading commit data...
interface_linux.go		Loading commit data...
interface_linux_test.go		Loading commit data...
interface_plan9.go		Loading commit data...
interface_solaris.go		Loading commit data...
interface_stub.go		Loading commit data...
interface_test.go		Loading commit data...
interface_unix_test.go		Loading commit data...
interface_windows.go		Loading commit data...
ip.go		Loading commit data...
ip_test.go		Loading commit data...
iprawsock.go		Loading commit data...
iprawsock_plan9.go		Loading commit data...
iprawsock_posix.go		Loading commit data...
iprawsock_test.go		Loading commit data...
ipsock.go		Loading commit data...
ipsock_plan9.go		Loading commit data...
ipsock_posix.go		Loading commit data...
ipsock_test.go		Loading commit data...
listen_test.go		Loading commit data...
lookup.go		Loading commit data...
lookup_nacl.go		Loading commit data...
lookup_plan9.go		Loading commit data...
lookup_test.go		Loading commit data...
lookup_unix.go		Loading commit data...
lookup_windows.go		Loading commit data...
lookup_windows_test.go		Loading commit data...
mac.go		Loading commit data...
mac_test.go		Loading commit data...
main_cloexec_test.go		Loading commit data...
main_conf_test.go		Loading commit data...
main_noconf_test.go		Loading commit data...
main_plan9_test.go		Loading commit data...
main_posix_test.go		Loading commit data...
main_test.go		Loading commit data...
main_unix_test.go		Loading commit data...
main_windows_test.go		Loading commit data...
mockserver_test.go		Loading commit data...
net.go		Loading commit data...
net_test.go		Loading commit data...
net_windows_test.go		Loading commit data...
netgo_unix_test.go		Loading commit data...
nss.go		Loading commit data...
nss_test.go		Loading commit data...
packetconn_test.go		Loading commit data...
parse.go		Loading commit data...
parse_test.go		Loading commit data...
pipe.go		Loading commit data...
pipe_test.go		Loading commit data...
platform_test.go		Loading commit data...
port.go		Loading commit data...
port_test.go		Loading commit data...
port_unix.go		Loading commit data...
protoconn_test.go		Loading commit data...
rawconn.go		Loading commit data...
rawconn_stub_test.go		Loading commit data...
rawconn_test.go		Loading commit data...
rawconn_unix_test.go		Loading commit data...
rawconn_windows_test.go		Loading commit data...
sendfile_linux.go		Loading commit data...
sendfile_stub.go		Loading commit data...
sendfile_test.go		Loading commit data...
sendfile_unix_alt.go		Loading commit data...
sendfile_windows.go		Loading commit data...
server_test.go		Loading commit data...
sock_bsd.go		Loading commit data...
sock_cloexec.go		Loading commit data...
sock_linux.go		Loading commit data...
sock_plan9.go		Loading commit data...
sock_posix.go		Loading commit data...
sock_stub.go		Loading commit data...
sock_windows.go		Loading commit data...
sockopt_bsd.go		Loading commit data...
sockopt_linux.go		Loading commit data...
sockopt_plan9.go		Loading commit data...
sockopt_posix.go		Loading commit data...
sockopt_solaris.go		Loading commit data...
sockopt_stub.go		Loading commit data...
sockopt_windows.go		Loading commit data...
sockoptip_bsdvar.go		Loading commit data...
sockoptip_linux.go		Loading commit data...
sockoptip_posix.go		Loading commit data...
sockoptip_stub.go		Loading commit data...
sockoptip_windows.go		Loading commit data...
sys_cloexec.go		Loading commit data...
tcpsock.go		Loading commit data...
tcpsock_plan9.go		Loading commit data...
tcpsock_posix.go		Loading commit data...
tcpsock_test.go		Loading commit data...
tcpsock_unix_test.go		Loading commit data...
tcpsockopt_darwin.go		Loading commit data...
tcpsockopt_dragonfly.go		Loading commit data...
tcpsockopt_openbsd.go		Loading commit data...
tcpsockopt_plan9.go		Loading commit data...
tcpsockopt_posix.go		Loading commit data...
tcpsockopt_solaris.go		Loading commit data...
tcpsockopt_stub.go		Loading commit data...
tcpsockopt_unix.go		Loading commit data...
tcpsockopt_windows.go		Loading commit data...
timeout_test.go		Loading commit data...
udpsock.go		Loading commit data...
udpsock_plan9.go		Loading commit data...
udpsock_plan9_test.go		Loading commit data...
udpsock_posix.go		Loading commit data...
udpsock_test.go		Loading commit data...
unixsock.go		Loading commit data...
unixsock_linux_test.go		Loading commit data...
unixsock_plan9.go		Loading commit data...
unixsock_posix.go		Loading commit data...
unixsock_test.go		Loading commit data...
write_unix_test.go		Loading commit data...
writev_test.go		Loading commit data...
writev_unix.go		Loading commit data...