net/http:DetectContentType 是否支持 JavaScript?

net/http: Does DetectContentType support JavaScript?

DetectContentType,JavaScript支持?

https://github.com/golang/go/blob/c3931ab1b7bceddc56479d7ddbd7517d244bfe17/src/net/http/sniff.go#L21

http 方法 DetectContentType 不支持 JavaScript 背后是否有真正的原因?

正如文档评论所指出的,DetectContentType 实现了 https://mimesniff.spec.whatwg.org/ 中描述的算法,它没有检测到 JavaScript。那么问题就变成了:为什么不呢?

规范介绍中给出了答案:

These security issues are most severe when an "honest" server allows potentially malicious users to upload their own files and then serves the contents of those files with a low-privilege MIME type. For example, if a server believes that the client will treat a contributed file as an image (and thus treat it as benign), but a user agent believes the content to be HTML (and thus privileged to execute any scripts contained therein), an attacker might be able to steal the user’s authentication credentials and mount other cross-site scripting attacks. (Malicious servers, of course, can specify an arbitrary MIME type in the Content-Type header field.)

This document describes a content sniffing algorithm that carefully balances the compatibility needs of user agent with the security constraints imposed by existing web content.

将不受信任的输入标记为 JavaScript,但实际上并非如此(甚至是!)可能会导致安全灾难。