Skip to content

net/http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type #26077

Closed
@agnivade

Description

@agnivade

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11beta1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/agniva/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/agniva/play/go"
GOPROXY=""
GORACE=""
GOROOT="/home/agniva/sdk/go1.11beta1"
GOTMPDIR=""
GOTOOLDIR="/home/agniva/sdk/go1.11beta1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build285380950=/tmp/go-build -gno-record-gcc-switches"
VGOMODROOT=""

What did you do?

Used 1.11 beta1 to test my web app.

Context: I use the "github.com/unrolled/secure" middleware which injects security headers in my responses. The issue is about the X-Content-Type-Options header.

What did you expect to see?

I expected my Content-Type header to remain unchanged when I use 1.11 beta1.

What did you see instead?

Found that my Content-Type in the response got changed from text/plain; charset=utf-8 to application/octet-stream.

Along with a warning from the app - http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type

Repro -

package main

import (
	"log"
	"net/http"
)

func main() {
	http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("X-Content-Type-Options", "nosniff")
		// w.Header().Set("Content-Type", "text/plain; charset=utf-8")
		w.WriteHeader(http.StatusCreated)
		w.Write([]byte("OK"))
	})

	log.Fatal(http.ListenAndServe(":8080", nil))

}

This gives Content-Type: text/plain; charset=utf-8 in 1.10.2 and gives Content-Type: application/octet-stream in 1.11beta1.

If you uncomment the line to explicitly set Content-Type, it goes away.

Wondering if this is an intentional change. Because sensitive http clients might break due to this behavior. And if it indeed is intentional, I will have to change all my apps to add this new line 😭

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions