Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type #26077

Closed
agnivade opened this issue Jun 27, 2018 · 3 comments
Closed

net/http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type #26077

agnivade opened this issue Jun 27, 2018 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.11

Comments

@agnivade
Copy link
Contributor

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11beta1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/agniva/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/agniva/play/go"
GOPROXY=""
GORACE=""
GOROOT="/home/agniva/sdk/go1.11beta1"
GOTMPDIR=""
GOTOOLDIR="/home/agniva/sdk/go1.11beta1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build285380950=/tmp/go-build -gno-record-gcc-switches"
VGOMODROOT=""

What did you do?

Used 1.11 beta1 to test my web app.

Context: I use the "github.com/unrolled/secure" middleware which injects security headers in my responses. The issue is about the X-Content-Type-Options header.

What did you expect to see?

I expected my Content-Type header to remain unchanged when I use 1.11 beta1.

What did you see instead?

Found that my Content-Type in the response got changed from text/plain; charset=utf-8 to application/octet-stream.

Along with a warning from the app - http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type

Repro -

package main

import (
	"log"
	"net/http"
)

func main() {
	http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("X-Content-Type-Options", "nosniff")
		// w.Header().Set("Content-Type", "text/plain; charset=utf-8")
		w.WriteHeader(http.StatusCreated)
		w.Write([]byte("OK"))
	})

	log.Fatal(http.ListenAndServe(":8080", nil))

}

This gives Content-Type: text/plain; charset=utf-8 in 1.10.2 and gives Content-Type: application/octet-stream in 1.11beta1.

If you uncomment the line to explicitly set Content-Type, it goes away.

Wondering if this is an intentional change. Because sensitive http clients might break due to this behavior. And if it indeed is intentional, I will have to change all my apps to add this new line 😭
@agnivade agnivade added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 27, 2018
@agnivade agnivade added this to the Go1.11 milestone Jun 27, 2018
@agnivade
Copy link
Contributor Author

/cc @bradfitz

@agnivade
Copy link
Contributor Author

Looks like intentional - #24795.

@bradfitz - What is the expected action here ? Explicitly set content-type ?

@bradfitz
Copy link
Contributor

The X-Content-Type-Options: nosniff header means "I set my Content-Type explicitly and I know it's correct, so please don't sniff it and change it, browsers."

But if you're not setting a content-type, it doesn't make sense to say that the value should not be sniffed by browser.

As such, in Go 1.11 we also don't sniff it, and issue a warning if you issued that header but forgot to set a Content-Type.

So, yes, this is intentional. Although I imagine this does break people who previously trusted Go's content-sniffing but didn't trust the more-aggressive browsers' content sniffing. In that regard this is a regression, but one I'm happy about if this is sufficiently documented in the release notes. https://go-review.googlesource.com/c/go/+/89275 is marked as RELNOTE=yes and I see https://tip.golang.org/doc/go1.11#net/http has a TODO to flesh out the docs on this.

So I think this can be closed, but cc @FiloSottile @mikesamuel if there are other opinions.

@golang golang locked and limited conversation to collaborators Jun 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.11
Development

No branches or pull requests
3 participants
@bradfitz @agnivade @gopherbot