Disable the content sniffing algorithm if the server instructs us to do so...

Disable the content sniffing algorithm if the server instructs us to do so with the nosniff directive.

For context, see http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

R=deanm,darin

Review URL: http://codereview.chromium.org/12982

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@6422 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/resource_dispatcher_host.cc

@@ -1133,7 +1133,11 @@ bool ResourceDispatcherHost::BufferedEventHandler::DelayResponse() {
   std::string mime_type;
   request_->GetMimeType(&mime_type);
 
-  if (net::ShouldSniffMimeType(request_->url(), mime_type)) {
+  std::string content_type_options;
+  request_->GetResponseHeaderByName("x-content-type-options",
+                                    &content_type_options);
+  if (content_type_options != "nosniff" &&
+      net::ShouldSniffMimeType(request_->url(), mime_type)) {
     // We're going to look at the data before deciding what the content type
     // is.  That means we need to delay sending the ResponseStarted message
     // over the IPC channel.

chrome/browser/resource_dispatcher_host_uitest.cc

@@ -50,6 +50,10 @@ TEST_F(ResourceDispatcherTest, SniffHTMLWithNoContentType) {
                  L"Content Sniffer Test 0");
 }
 
+TEST_F(ResourceDispatcherTest, RespectNoSniffDirective) {
+  CheckTitleTest(L"nosniff-test.html", L"");
+}
+
 TEST_F(ResourceDispatcherTest, DoNotSniffHTMLFromTextPlain) {
   CheckTitleTest(L"content-sniffer-test1.html", L"");
 }

chrome/test/data/nosniff-test.html

+<html>
+<head><title>nosniff Test</title></head>
+<body>We should NOT sniff this content as HTML.</body>
+</html>

chrome/test/data/nosniff-test.html.mock-http-headers

+HTTP/1.1 200 OK
+Content-Length: 111
+X-Content-Type-Options: nosniff
+Date: Mon, 13 Nov 2006 21:38:09 GMT
+Expires: Tue, 14 Nov 2006 19:23:58 GMT