net/http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type #26077
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?go version go1.11beta1 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?What did you do?
Used 1.11 beta1 to test my web app.
Context: I use the "github.com/unrolled/secure" middleware which injects security headers in my responses. The issue is about the
X-Content-Type-Options
header.What did you expect to see?
I expected my
Content-Type
header to remain unchanged when I use 1.11 beta1.What did you see instead?
Found that my Content-Type in the response got changed from
text/plain; charset=utf-8
toapplication/octet-stream
.Along with a warning from the app -
http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type
Repro -
This gives
Content-Type: text/plain; charset=utf-8
in 1.10.2 and givesContent-Type: application/octet-stream
in 1.11beta1.If you uncomment the line to explicitly set
Content-Type
, it goes away.Wondering if this is an intentional change. Because sensitive http clients might break due to this behavior. And if it indeed is intentional, I will have to change all my apps to add this new line 😭
The text was updated successfully, but these errors were encountered: