Do not allow Go standard lib to sniff Content-Type header

author: Matthew Holt <mholt@users.noreply.github.com> 2019-06-07 19:59:17 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2019-06-07 19:59:25 -0600
commit: ef5f29cfb257c7503763a4b16947c4eb6a7864c3 (patch)
tree: 2bceddc23e11434e1bbf7361adf045ec52b12c52 /modules
parent: 8947ae0cc1babf2ca6f8e01aa93cb13eebb3e854 (diff)
2 files changed, 9 insertions, 1 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index 86704fa..d094406 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -185,7 +185,10 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) error
 
 	// TODO: Etag
 
-	// TODO: Disable content-type sniffing by setting a content-type...
+	// do not allow Go to sniff the content-type
+	if w.Header().Get("Content-Type") == "" {
+		w.Header()["Content-Type"] = nil
+	}
 
 	// let the standard library do what it does best; note, however,
 	// that errors generated by ServeContent are written immediately
diff --git a/modules/caddyhttp/staticresp.go b/modules/caddyhttp/staticresp.go
index 091cf3a..ad59681 100644
--- a/modules/caddyhttp/staticresp.go
+++ b/modules/caddyhttp/staticresp.go
@@ -39,6 +39,11 @@ func (s Static) ServeHTTP(w http.ResponseWriter, r *http.Request) error {
 		w.Header()[field] = vals
 	}
 
+	// do not allow Go to sniff the content-type
+	if w.Header().Get("Content-Type") == "" {
+		w.Header()["Content-Type"] = nil
+	}
+
 	// get the status code
 	statusCode := s.StatusCode
 	if statusCode == 0 && s.StatusCodeStr != "" {
author	Matthew Holt <mholt@users.noreply.github.com>	2019-06-07 19:59:17 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2019-06-07 19:59:25 -0600
commit	ef5f29cfb257c7503763a4b16947c4eb6a7864c3 (patch)
tree	2bceddc23e11434e1bbf7361adf045ec52b12c52 /modules
parent	8947ae0cc1babf2ca6f8e01aa93cb13eebb3e854 (diff)