net/http: revert CL 89275 (don't sniff Content-Type when nosniff set)

bradfitz · bradfitz · commit d3c3aaa61f75 · 2018-07-31T17:29:58.000Z
Also updates the bundled http2 to x/net/http2 git rev 49c15d80 for: http2: revert CL 107295 (don't sniff Content-type in Server when nosniff) https://golang.org/cl/126895 Fixes golang#24795 Change-Id: I6ae1a21c919947089274e816eb628d20490f83ce Reviewed-on: https://go-review.googlesource.com/126896 Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/doc/go1.11.html b/doc/go1.11.html
@@ -677,10 +677,7 @@ <h3 id="minor_library_changes">Minor changes to the library</h3>
       methods will return errors after a shutdown or close.
     </p>
 
-    <p><!-- CL 89275 -->
-      The HTTP server will no longer automatically set the Content-Type if a
-      <code>Handler</code> sets the "<code>X-Content-Type-Options</code>" header to "<code>nosniff</code>".
-    </p>
+    <!-- CL 89275 was reverted before Go 1.11 -->
 
     <p><!-- CL 93296 -->
       The constant <code>StatusMisdirectedRequest</code> is now defined for HTTP status code 421.
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
@@ -3585,26 +3585,6 @@ func TestHeaderToWire(t *testing.T) {
 				return nil
 			},
 		},
-		{
-			name: "Nosniff without Content-type",
-			handler: func(rw ResponseWriter, r *Request) {
-				rw.Header().Set("X-Content-Type-Options", "nosniff")
-				rw.WriteHeader(200)
-				rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
-			},
-			check: func(got, logs string) error {
-				if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
-					return errors.New("Output should have an innocuous content-type")
-				}
-				if strings.Contains(got, "text/html") {
-					return errors.New("Output should not have a guess")
-				}
-				if !strings.Contains(logs, "X-Content-Type-Options:nosniff but no Content-Type") {
-					return errors.New("Expected log message")
-				}
-				return nil
-			},
-		},
 	}
 	for _, tc := range tests {
 		ht := newHandlerTest(HandlerFunc(tc.handler))
diff --git a/src/net/http/server.go b/src/net/http/server.go
@@ -1360,15 +1360,7 @@ func (cw *chunkWriter) writeHeader(p []byte) {
 		// If no content type, apply sniffing algorithm to body.
 		_, haveType := header["Content-Type"]
 		if !haveType && !hasTE && len(p) > 0 {
-			if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				setHeader.contentType = "application/octet-stream"
-				w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
-				setHeader.contentType = DetectContentType(p)
-			}
+			setHeader.contentType = DetectContentType(p)
 		}
 	} else {
 		for _, k := range suppressedHeaders(code) {
