http2/server_test.go · 5f9ae10d9af5b1c89ae6904293b14b064d4ada23 · go / net

http2: don't sniff Content-type in Server when X-Content-Type-Options:nosniff · 84348c2d

Baokun Lee authored Apr 15, 2018

The header X-Content-Type-Options:nosniff is an explicit directive that
content-type should not be sniffed.

----

https://fetch.spec.whatwg.org/#x-content-type-options-header
defines the X-Content-Type-Options header.

["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu
/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf)
explains Polyglot attacks in more detail.

Fixes golang/go#24795

Change-Id: Ibcc2d6a561394392ad0bf112eecc01c43823a2a2
Reviewed-on: https://go-review.googlesource.com/107295Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

84348c2d

server_test.go 103 KB

Replace server_test.go