http2: revert CL 107295 (don't sniff Content-type in Server when nosniff)

Updates golang/go#24795 Change-Id: Idb018ad9eba1292e91d9339190fdd24ef8a0af4e Reviewed-on: https://go-review.googlesource.com/126895 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
2026-03-31 18:37:08 +09:00 · 2018-07-31 17:08:08 +00:00
parent a0f8a16cb0
commit 49c15d80df
2 changed files with 1 additions and 45 deletions
--- a/http2/server.go
+++ b/http2/server.go
@@ -2346,15 +2346,7 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 		}
 		_, hasContentType := rws.snapHeader["Content-Type"]
 		if !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 {
-			if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				ctype = "application/octet-stream"
-				rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
-				ctype = http.DetectContentType(p)
-			}
+			ctype = http.DetectContentType(p)
 		}
 		var date string
 		if _, ok := rws.snapHeader["Date"]; !ok {
--- a/http2/server_test.go
+++ b/http2/server_test.go
@@ -1760,42 +1760,6 @@ func TestServer_Response_Data_Sniff_DoesntOverride(t *testing.T) {
 	})
 }

-func TestServer_Response_Nosniff_WithoutContentType(t *testing.T) {
-	const msg = "<html>this is HTML."
-	testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.WriteHeader(200)
-		io.WriteString(w, msg)
-		return nil
-	}, func(st *serverTester) {
-		getSlash(st)
-		hf := st.wantHeaders()
-		if hf.StreamEnded() {
-			t.Fatal("don't want END_STREAM, expecting data")
-		}
-		if !hf.HeadersEnded() {
-			t.Fatal("want END_HEADERS flag")
-		}
-		goth := st.decodeHeader(hf.HeaderBlockFragment())
-		wanth := [][2]string{
-			{":status", "200"},
-			{"x-content-type-options", "nosniff"},
-			{"content-type", "application/octet-stream"},
-			{"content-length", strconv.Itoa(len(msg))},
-		}
-		if !reflect.DeepEqual(goth, wanth) {
-			t.Errorf("Got headers %v; want %v", goth, wanth)
-		}
-		df := st.wantData()
-		if !df.StreamEnded() {
-			t.Error("expected DATA to have END_STREAM flag")
-		}
-		if got := string(df.Data()); got != msg {
-			t.Errorf("got DATA %q; want %q", got, msg)
-		}
-	})
-}
-
 func TestServer_Response_TransferEncoding_chunked(t *testing.T) {
 	const msg = "hi"
 	testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {