diff options
| -rw-r--r-- | chrome/browser/renderer_host/buffered_resource_handler.cc | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/chrome/browser/renderer_host/buffered_resource_handler.cc b/chrome/browser/renderer_host/buffered_resource_handler.cc index 14f6934..ea7d69d 100644 --- a/chrome/browser/renderer_host/buffered_resource_handler.cc +++ b/chrome/browser/renderer_host/buffered_resource_handler.cc @@ -116,7 +116,8 @@ bool BufferedResourceHandler::DelayResponse() { request_->GetResponseHeaderByName("x-content-type-options", &content_type_options); - const bool sniffing_blocked = (content_type_options == "nosniff"); + const bool sniffing_blocked = + LowerCaseEqualsASCII(content_type_options, "nosniff"); const bool we_would_like_to_sniff = net::ShouldSniffMimeType(request_->url(), mime_type); @@ -131,6 +132,14 @@ bool BufferedResourceHandler::DelayResponse() { return true; } + if (sniffing_blocked && mime_type.empty()) { + // Ugg. The server told us not to sniff the content but didn't give us a + // mime type. What's a browser to do? Turns out, we're supposed to treat + // the response as "text/plain". This is the most secure option. + mime_type.assign("text/plain"); + response_->response_head.mime_type.assign(mime_type); + } + if (ShouldBuffer(request_->url(), mime_type)) { // This is a temporary fix for the fact that webkit expects to have // enough data to decode the doctype in order to select the rendering |