Home Explore Help
Register Sign In
publics
/
net
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

http2: revert CL 107295 (don't sniff Content-type in Server when nosniff)

Updates golang/go#24795

Change-Id: Idb018ad9eba1292e91d9339190fdd24ef8a0af4e
Reviewed-on: https://go-review.googlesource.com/126895
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Brad Fitzpatrick 7 years ago
parent
a0f8a16cb0
commit
49c15d80df
2 changed files with 1 additions and 45 deletions
Split View Show Diff Stats
  1. 1 9
      http2/server.go
  2. 0 36
      http2/server_test.go

+ 1 - 9
http2/server.go
View File 

@@ -2346,15 +2346,7 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 
 		}
 
 		_, hasContentType := rws.snapHeader["Content-Type"]
 
 		if !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 {
 
-			if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
 
-				// nosniff is an explicit directive not to guess a content-type.
 
-				// Content-sniffing is no less susceptible to polyglot attacks via
 
-				// hosted content when done on the server.
 
-				ctype = "application/octet-stream"
 
-				rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
 
-			} else {
 
-				ctype = http.DetectContentType(p)
 
-			}
 
+			ctype = http.DetectContentType(p)
 
 		}
 
 		var date string
 
 		if _, ok := rws.snapHeader["Date"]; !ok {

+ 0 - 36
http2/server_test.go
View File 

@@ -1760,42 +1760,6 @@ func TestServer_Response_Data_Sniff_DoesntOverride(t *testing.T) {
 
 	})
 
 }
 
 
-func TestServer_Response_Nosniff_WithoutContentType(t *testing.T) {
 
-	const msg = "<html>this is HTML."
 
-	testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {
 
-		w.Header().Set("X-Content-Type-Options", "nosniff")
 
-		w.WriteHeader(200)
 
-		io.WriteString(w, msg)
 
-		return nil
 
-	}, func(st *serverTester) {
 
-		getSlash(st)
 
-		hf := st.wantHeaders()
 
-		if hf.StreamEnded() {
 
-			t.Fatal("don't want END_STREAM, expecting data")
 
-		}
 
-		if !hf.HeadersEnded() {
 
-			t.Fatal("want END_HEADERS flag")
 
-		}
 
-		goth := st.decodeHeader(hf.HeaderBlockFragment())
 
-		wanth := [][2]string{
 
-			{":status", "200"},
 
-			{"x-content-type-options", "nosniff"},
 
-			{"content-type", "application/octet-stream"},
 
-			{"content-length", strconv.Itoa(len(msg))},
 
-		}
 
-		if !reflect.DeepEqual(goth, wanth) {
 
-			t.Errorf("Got headers %v; want %v", goth, wanth)
 
-		}
 
-		df := st.wantData()
 
-		if !df.StreamEnded() {
 
-			t.Error("expected DATA to have END_STREAM flag")
 
-		}
 
-		if got := string(df.Data()); got != msg {
 
-			t.Errorf("got DATA %q; want %q", got, msg)
 
-		}
 
-	})
 
-}
 
-
 
 func TestServer_Response_TransferEncoding_chunked(t *testing.T) {
 
 	const msg = "hi"
 
 	testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {