net/http: set nosniff header when serving Error

The Error function is a potential XSS vector if a user can control the error message. For example, an http.FileServer when given a request for this path /<script>alert("xss!")</script> may return a response with a body like this open <script>alert("xss!")</script>: no such file or directory Browsers that sniff the content may interpret this as HTML and execute the script. The nosniff header added by this CL should help, but we should also try santizing the output entirely. Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893 Reviewed-on: https://go-review.googlesource.com/10640 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
author: Andrew Gerrand <adg@golang.org> 2015-06-02 11:01:56 -0700
committer: Andrew Gerrand <adg@golang.org> 2015-06-02 18:29:45 +0000
commit: 321663197e57ea5cea704b337cb8185f33883bd0 (patch)
tree: aec7305a5d6af44ec7d1fdf6aeeaa11199491ef6
parent: 70cf7352b488f68141cf73ba35cdfe7c158964fd (diff)
download: go-321663197e57ea5cea704b337cb8185f33883bd0.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/src/net/http/server.go b/src/net/http/server.go
index dbd629210e..33588609b1 100644
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -1326,6 +1326,7 @@ func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
 // The error message should be plain text.
 func Error(w ResponseWriter, error string, code int) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(code)
 	fmt.Fprintln(w, error)
 }
author	Andrew Gerrand <adg@golang.org>	2015-06-02 11:01:56 -0700
committer	Andrew Gerrand <adg@golang.org>	2015-06-02 18:29:45 +0000
commit	321663197e57ea5cea704b337cb8185f33883bd0 (patch)
tree	aec7305a5d6af44ec7d1fdf6aeeaa11199491ef6
parent	70cf7352b488f68141cf73ba35cdfe7c158964fd (diff)
download	go-321663197e57ea5cea704b337cb8185f33883bd0.tar.xz