xContentTypeOptions function
Some browsers will try to "sniff" mimetypes. For example,
if my server serves file.txt with a text/plain content-type,
some browsers can still run that file with <script src="file.txt"></script>
.
Many browsers will allow file.js to be run even if the content-type isn't for JavaScript.
Browsers' same-origin policies generally prevent remote resources from
being loaded dangerously, but vulnerabilities in web browsers
can cause this to be abused.
Some browsers, like Chrome,
will further isolate memory if the X-Content-Type-Options
header is seen.
There are some other vulnerabilities, too.
This middleware prevents Chrome, Opera 13+, IE 8+ and
Firefox 50+
from doing this sniffing. The following example sets the X-Content-Type-Options
header to its only option, nosniff
:
import 'package:shelf_helmet/shelf_helmet.dart'
.addMiddleware(xContentTypeOptions())
MSDN has a good description of how browsers behave when this header is sent.
Implementation
Middleware xContentTypeOptions() {
return (innerHandler) {
return (request) async {
final response = await innerHandler(request);
return response.change(
headers: {'x-content-type-options': 'nosniff', ...response.headersAll},
);
};
};
}