net/http: Content-Type sniffing interacts poorly with compression

[andybalholm]

What version of Go are you using (go version)?

$ go version
go version go1.12.4 darwin/amd64

What did you do?

func serve(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Encoding", "gzip")
	gzw := gzip.NewWriter(w)
	defer gzw.Close()
	io.WriteString(gzw, `<!doctype html><p>Hello</p>`)
}

What did you expect to see?

Content-Type header of "text/html", or none at all.

What did you see instead?

Content-Type header of "application/x-gzip".

Since the content being written to the ResponseWriter is compressed with gzip, the Content-Type is being detected as application/x-gzip.

Content-Type sniffing should be disabled when there is a Content-Encoding header.

[firelizzard18]

I ran into the same issue. Chrome is pretty smart about ignoring the bad content type and correctly interpreting files. Firefox is not. Firefox will attempt to interpret the raw GZIP bytes as JavaScript (and fail badly).

[bradfitz]

@tombergan, thoughts?

[andybalholm]

Referenced in andybalholm/redwood@8299e5d

[gopherbot]

Change https://golang.org/cl/199799 mentions this issue: net/http: do not sniff response if Content-Encoding header is set

[gopherbot]

Change https://golang.org/cl/199841 mentions this issue: http2: do not sniff body if Content-Encoding is set

[gopherbot]

Change https://golang.org/cl/200102 mentions this issue: net/http: update bundled x/net/http2