net/http: set nosniff header when serving Error

The Error function is a potential XSS vector if a user can control the error message. For example, an http.FileServer when given a request for this path /<script>alert("xss!")</script> may return a response with a body like this open <script>alert("xss!")</script>: no such file or directory Browsers that sniff the content may interpret this as HTML and execute the script. The nosniff header added by this CL should help, but we should also try santizing the output entirely. Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893 Reviewed-on: https://go-review.googlesource.com/10640 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-09-30 14:38:33 -06:00 · 2015-06-02 11:01:56 -07:00 · 2015-06-02 11:01:56 -07:00 · 321663197e
commit 321663197e
parent 70cf7352b4
1 changed files with 1 additions and 0 deletions
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@ -1326,6 +1326,7 @@ func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
 // The error message should be plain text.
 func Error(w ResponseWriter, error string, code int) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(code)
 	fmt.Fprintln(w, error)
 }