net/http: revert CL 89275 (don't sniff Content-Type when nosniff set)

Also updates the bundled http2 to x/net/http2 git rev 49c15d80 for: http2: revert CL 107295 (don't sniff Content-type in Server when nosniff) https://golang.org/cl/126895 Fixes #24795 Change-Id: I6ae1a21c919947089274e816eb628d20490f83ce Reviewed-on: https://go-review.googlesource.com/126896 Reviewed-by: Damien Neil <dneil@google.com>
2024-11-23 05:40:04 -07:00 · 2018-07-31 17:09:49 +00:00 · 2018-07-31 17:09:49 +00:00 · d3c3aaa61f
commit d3c3aaa61f
parent 9e2a4f4dff
4 changed files with 3 additions and 42 deletions
--- a/doc/go1.11.html
+++ b/doc/go1.11.html
@ -677,10 +677,7 @@ for k := range m {
      methods will return errors after a shutdown or close.
    </p>

-    <p><!-- CL 89275 -->
-      The HTTP server will no longer automatically set the Content-Type if a
-      <code>Handler</code> sets the "<code>X-Content-Type-Options</code>" header to "<code>nosniff</code>".
-    </p>
+    <!-- CL 89275 was reverted before Go 1.11 -->

    <p><!-- CL 93296 -->
      The constant <code>StatusMisdirectedRequest</code> is now defined for HTTP status code 421.
--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
@ -6135,15 +6135,7 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
 		}
 		_, hasContentType := rws.snapHeader["Content-Type"]
 		if !hasContentType && http2bodyAllowedForStatus(rws.status) && len(p) > 0 {
-			if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				ctype = "application/octet-stream"
-				rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
-				ctype = DetectContentType(p)
-			}
+			ctype = DetectContentType(p)
 		}
 		var date string
 		if _, ok := rws.snapHeader["Date"]; !ok {
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@ -3585,26 +3585,6 @@ func TestHeaderToWire(t *testing.T) {
 				return nil
 			},
 		},
-		{
-			name: "Nosniff without Content-type",
-			handler: func(rw ResponseWriter, r *Request) {
-				rw.Header().Set("X-Content-Type-Options", "nosniff")
-				rw.WriteHeader(200)
-				rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
-			},
-			check: func(got, logs string) error {
-				if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
-					return errors.New("Output should have an innocuous content-type")
-				}
-				if strings.Contains(got, "text/html") {
-					return errors.New("Output should not have a guess")
-				}
-				if !strings.Contains(logs, "X-Content-Type-Options:nosniff but no Content-Type") {
-					return errors.New("Expected log message")
-				}
-				return nil
-			},
-		},
 	}
 	for _, tc := range tests {
 		ht := newHandlerTest(HandlerFunc(tc.handler))
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@ -1360,15 +1360,7 @@ func (cw *chunkWriter) writeHeader(p []byte) {
 		// If no content type, apply sniffing algorithm to body.
 		_, haveType := header["Content-Type"]
 		if !haveType && !hasTE && len(p) > 0 {
-			if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				setHeader.contentType = "application/octet-stream"
-				w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
-				setHeader.contentType = DetectContentType(p)
-			}
+			setHeader.contentType = DetectContentType(p)
 		}
 	} else {
 		for _, k := range suppressedHeaders(code) {