Merge pull request #37190 from brendandburns/xss

Automatic merge from submit-queue Add 'X-Content-Type-Options: nosniff" to some error messages Fixes https://github.com/kubernetes/kubernetes/issues/37108 @lavalamp @timstclair (though actually, it's not 100% clear to me that these functions are ever called anywhere...)
2025-07-23 03:41:45 +00:00 · 2016-12-14 23:32:37 -08:00 · 2016-12-14 23:32:37 -08:00 · 275bed8b54
commit 275bed8b54
parent 9eb82fadc4 43251c92e1
1 changed files with 6 additions and 0 deletions
--- a/pkg/apiserver/filters/errors.go
+++ b/pkg/apiserver/filters/errors.go
@ -26,6 +26,8 @@ import (

 // badGatewayError renders a simple bad gateway error.
 func badGatewayError(w http.ResponseWriter, req *http.Request) {
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(http.StatusBadGateway)
 	fmt.Fprintf(w, "Bad Gateway: %#v", req.RequestURI)
 }
@ -33,6 +35,8 @@ func badGatewayError(w http.ResponseWriter, req *http.Request) {
 // forbidden renders a simple forbidden error
 func forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string) {
 	msg := forbiddenMessage(attributes)
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(http.StatusForbidden)
 	fmt.Fprintf(w, "%s: %q", msg, reason)
 }
@ -57,6 +61,8 @@ func forbiddenMessage(attributes authorizer.Attributes) string {

 // internalError renders a simple internal error
 func internalError(w http.ResponseWriter, req *http.Request, err error) {
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(http.StatusInternalServerError)
 	fmt.Fprintf(w, "Internal Server Error: %#v", req.RequestURI)
 	runtime.HandleError(err)