The docs for ResponseWriter.Write say
// If the Header
// does not contain a Content-Type line, Write adds a Content-Type set
// to the result of passing the initial 512 bytes of written data to
// DetectContentType.
The header X-Content-Type-Options:nosniff is an explicit directive that
content-type should not be sniffed.
This changes the behavior of Response.WriteHeader so that, when
there is an X-Content-Type-Options:nosniff header, but there is
no Content-type header, the following happens:
1. A Content-type:application/octet-stream is added
2. A warning is logged via the server's logging mechanism.
Previously, a content-type would have been silently added based on
heuristic analysis of the first 512B which might allow a hosted
GIF like http://www.thinkfu.com/blog/gifjavascript-polyglots to be
categorized as JavaScript which might allow a CSP bypass, loading
as a script despite `Content-Security-Policy: script-src 'self' `.
----
https://fetch.spec.whatwg.org/#x-content-type-options-header
defines the X-Content-Type-Options header.
["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf)
explains Polyglot attacks in more detail.
Change-Id: I2c8800d2e4b4d10d9e08a0e3e5b20334a75f03c0
Reviewed-on: https://go-review.googlesource.com/89275
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
return nil
},
},
+ {
+ name: "Nosniff without Content-type",
+ handler: func(rw ResponseWriter, r *Request) {
+ rw.Header().Set("X-Content-Type-Options", "nosniff")
+ rw.WriteHeader(200)
+ rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
+ },
+ check: func(got string) error {
+ if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
+ return errors.New("Output should have an innocuous content-type")
+ }
+ if strings.Contains(got, "text/html") {
+ return errors.New("Output should not have a guess")
+ }
+ return nil
+ },
+ },
}
for _, tc := range tests {
ht := newHandlerTest(HandlerFunc(tc.handler))
// If no content type, apply sniffing algorithm to body.
_, haveType := header["Content-Type"]
if !haveType && !hasTE && len(p) > 0 {
- setHeader.contentType = DetectContentType(p)
+ if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
+ // nosniff is an explicit directive not to guess a content-type.
+ // Content-sniffing is no less susceptible to polyglot attacks via
+ // hosted content when done on the server.
+ setHeader.contentType = "application/octet-stream"
+ w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
+ } else {
+ setHeader.contentType = DetectContentType(p)
+ }
}
} else {
for _, k := range suppressedHeaders(code) {