Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type #26077
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
But if you're not setting a content-type, it doesn't make sense to say that the value should not be sniffed by browser.
As such, in Go 1.11 we also don't sniff it, and issue a warning if you issued that header but forgot to set a Content-Type.
So, yes, this is intentional. Although I imagine this does break people who previously trusted Go's content-sniffing but didn't trust the more-aggressive browsers' content sniffing. In that regard this is a regression, but one I'm happy about if this is sufficiently documented in the release notes. https://go-review.googlesource.com/c/go/+/89275 is marked as RELNOTE=yes and I see https://tip.golang.org/doc/go1.11#net/http has a TODO to flesh out the docs on this.