From: Andrew Gerrand <adg@golang.org>
Date: Tue, 2 Jun 2015 18:01:56 +0000 (-0700)
Subject: net/http: set nosniff header when serving Error
X-Git-Tag: go1.5beta1~417
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=321663197e57ea5cea704b337cb8185f33883bd0;p=gostls13.git

net/http: set nosniff header when serving Error

The Error function is a potential XSS vector if a user can control the
error message.

For example, an http.FileServer when given a request for this path
	/<script>alert("xss!")</script>
may return a response with a body like this
	open <script>alert("xss!")</script>: no such file or directory
Browsers that sniff the content may interpret this as HTML and execute
the script. The nosniff header added by this CL should help, but we
should also try santizing the output entirely.

Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893
Reviewed-on: https://go-review.googlesource.com/10640
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---

diff --git a/src/net/http/server.go b/src/net/http/server.go
index dbd629210e..33588609b1 100644
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -1326,6 +1326,7 @@ func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
 // The error message should be plain text.
 func Error(w ResponseWriter, error string, code int) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(code)
 	fmt.Fprintln(w, error)
 }