http2: add X-Content-Type-Options automatically to prevent sniffing
When a Content-Type that triggers content sniffing in old (but still in significant use) browsers is sent, add the X-Content-Type-Options: nosniff header, unless explicitly disabled. Expose httpguts.SniffedContentType for use in the HTTP 1 implementation. Will be tested by net/http.TestNoSniffHeader_h2. Updates golang/go#24513 Change-Id: Id1ffea867a496393cb52c5a9f45af97d4b2fcf12 Reviewed-on: https://go-review.googlesource.com/112015 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Showing
Please
register
or
sign in
to comment