diff --git a/http2/server.go b/http2/server.go index 22cb18e0..9862dad0 100644 --- a/http2/server.go +++ b/http2/server.go @@ -2346,15 +2346,7 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { } _, hasContentType := rws.snapHeader["Content-Type"] if !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 { - if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) { - // nosniff is an explicit directive not to guess a content-type. - // Content-sniffing is no less susceptible to polyglot attacks via - // hosted content when done on the server. - ctype = "application/octet-stream" - rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type") - } else { - ctype = http.DetectContentType(p) - } + ctype = http.DetectContentType(p) } var date string if _, ok := rws.snapHeader["Date"]; !ok { diff --git a/http2/server_test.go b/http2/server_test.go index 6a27c477..bb19c966 100644 --- a/http2/server_test.go +++ b/http2/server_test.go @@ -1760,42 +1760,6 @@ func TestServer_Response_Data_Sniff_DoesntOverride(t *testing.T) { }) } -func TestServer_Response_Nosniff_WithoutContentType(t *testing.T) { - const msg = "this is HTML." - testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error { - w.Header().Set("X-Content-Type-Options", "nosniff") - w.WriteHeader(200) - io.WriteString(w, msg) - return nil - }, func(st *serverTester) { - getSlash(st) - hf := st.wantHeaders() - if hf.StreamEnded() { - t.Fatal("don't want END_STREAM, expecting data") - } - if !hf.HeadersEnded() { - t.Fatal("want END_HEADERS flag") - } - goth := st.decodeHeader(hf.HeaderBlockFragment()) - wanth := [][2]string{ - {":status", "200"}, - {"x-content-type-options", "nosniff"}, - {"content-type", "application/octet-stream"}, - {"content-length", strconv.Itoa(len(msg))}, - } - if !reflect.DeepEqual(goth, wanth) { - t.Errorf("Got headers %v; want %v", goth, wanth) - } - df := st.wantData() - if !df.StreamEnded() { - t.Error("expected DATA to have END_STREAM flag") - } - if got := string(df.Data()); got != msg { - t.Errorf("got DATA %q; want %q", got, msg) - } - }) -} - func TestServer_Response_TransferEncoding_chunked(t *testing.T) { const msg = "hi" testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error {