diff options
| author | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-05 07:24:44 +0000 |
|---|---|---|
| committer | abarth@chromium.org <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-05 07:24:44 +0000 |
| commit | a116f0e31c10e5bf50ddddba007d4892e6b38e35 (patch) | |
| tree | d7b16638072de699391b89e499aef8820963297f /chrome | |
| parent | 3588085479a4b0cf5cface7082ddbcdd4bb9b559 (diff) | |
| download | chromium_src-a116f0e31c10e5bf50ddddba007d4892e6b38e35.zip chromium_src-a116f0e31c10e5bf50ddddba007d4892e6b38e35.tar.gz chromium_src-a116f0e31c10e5bf50ddddba007d4892e6b38e35.tar.bz2 | |
Disable the content sniffing algorithm if the server instructs us to do so with the nosniff directive.
For context, see http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
R=deanm,darin
Review URL: http://codereview.chromium.org/12982
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@6422 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/browser/resource_dispatcher_host.cc | 6 | ||||
| -rw-r--r-- | chrome/browser/resource_dispatcher_host_uitest.cc | 4 | ||||
| -rwxr-xr-x | chrome/test/data/nosniff-test.html | 4 | ||||
| -rwxr-xr-x | chrome/test/data/nosniff-test.html.mock-http-headers | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/chrome/browser/resource_dispatcher_host.cc b/chrome/browser/resource_dispatcher_host.cc index 6ebf412..4b986bc 100644 --- a/chrome/browser/resource_dispatcher_host.cc +++ b/chrome/browser/resource_dispatcher_host.cc @@ -1133,7 +1133,11 @@ bool ResourceDispatcherHost::BufferedEventHandler::DelayResponse() { std::string mime_type; request_->GetMimeType(&mime_type); - if (net::ShouldSniffMimeType(request_->url(), mime_type)) { + std::string content_type_options; + request_->GetResponseHeaderByName("x-content-type-options", + &content_type_options); + if (content_type_options != "nosniff" && + net::ShouldSniffMimeType(request_->url(), mime_type)) { // We're going to look at the data before deciding what the content type // is. That means we need to delay sending the ResponseStarted message // over the IPC channel. diff --git a/chrome/browser/resource_dispatcher_host_uitest.cc b/chrome/browser/resource_dispatcher_host_uitest.cc index 2f83e73..6d276ee 100644 --- a/chrome/browser/resource_dispatcher_host_uitest.cc +++ b/chrome/browser/resource_dispatcher_host_uitest.cc @@ -50,6 +50,10 @@ TEST_F(ResourceDispatcherTest, SniffHTMLWithNoContentType) { L"Content Sniffer Test 0"); } +TEST_F(ResourceDispatcherTest, RespectNoSniffDirective) { + CheckTitleTest(L"nosniff-test.html", L""); +} + TEST_F(ResourceDispatcherTest, DoNotSniffHTMLFromTextPlain) { CheckTitleTest(L"content-sniffer-test1.html", L""); } diff --git a/chrome/test/data/nosniff-test.html b/chrome/test/data/nosniff-test.html new file mode 100755 index 0000000..a7ab8ba --- /dev/null +++ b/chrome/test/data/nosniff-test.html @@ -0,0 +1,4 @@ +<html> +<head><title>nosniff Test</title></head> +<body>We should NOT sniff this content as HTML.</body> +</html> diff --git a/chrome/test/data/nosniff-test.html.mock-http-headers b/chrome/test/data/nosniff-test.html.mock-http-headers new file mode 100755 index 0000000..6cd1f86 --- /dev/null +++ b/chrome/test/data/nosniff-test.html.mock-http-headers @@ -0,0 +1,5 @@ +HTTP/1.1 200 OK +Content-Length: 111 +X-Content-Type-Options: nosniff +Date: Mon, 13 Nov 2006 21:38:09 GMT +Expires: Tue, 14 Nov 2006 19:23:58 GMT |