Bug 1819642 - replace GetHeader with GetOriginalHeader in nsHttpResponseHead::GetContentTypeOptionsHeader. r=necko-reviewers,jesup

Differential Revision: https://phabricator.services.mozilla.com/D175506

netwerk/protocol/http/OpaqueResponseUtils.cpp

@@ -118,7 +118,7 @@ OpaqueResponseBlockedReason GetOpaqueResponseBlockedReason(
 }
 
 OpaqueResponseBlockedReason GetOpaqueResponseBlockedReason(
-    const nsHttpResponseHead& aResponseHead) {
+    nsHttpResponseHead& aResponseHead) {
   nsAutoCString contentType;
   aResponseHead.ContentType(contentType);
 

netwerk/protocol/http/OpaqueResponseUtils.h

@@ -51,7 +51,7 @@ OpaqueResponseBlockedReason GetOpaqueResponseBlockedReason(
     const nsACString& aContentType, uint16_t aStatus, bool aNoSniff);
 
 OpaqueResponseBlockedReason GetOpaqueResponseBlockedReason(
-    const nsHttpResponseHead& aResponseHead);
+    nsHttpResponseHead& aResponseHead);
 
 // Returns a tuple of (rangeStart, rangeEnd, rangeTotal) from the input range
 // header string if succeed.

netwerk/protocol/http/nsHttpResponseHead.cpp

@@ -1222,6 +1222,38 @@ nsresult nsHttpResponseHead::VisitHeaders(
   return rv;
 }
 
+namespace {
+class ContentTypeOptionsVisitor final : public nsIHttpHeaderVisitor {
+ public:
+  NS_DECL_ISUPPORTS
+
+  ContentTypeOptionsVisitor() = default;
+
+  NS_IMETHOD
+  VisitHeader(const nsACString& aHeader, const nsACString& aValue) override {
+    if (!mHeaderPresent) {
+      mHeaderPresent = true;
+    } else {
+      // multiple XCTO headers in response, merge them
+      mContentTypeOptionsHeader.Append(", "_ns);
+    }
+    mContentTypeOptionsHeader.Append(aValue);
+    return NS_OK;
+  }
+
+  void GetMergedHeader(nsACString& aValue) {
+    aValue = mContentTypeOptionsHeader;
+  }
+
+ private:
+  ~ContentTypeOptionsVisitor() = default;
+  bool mHeaderPresent{false};
+  nsAutoCString mContentTypeOptionsHeader;
+};
+
+NS_IMPL_ISUPPORTS(ContentTypeOptionsVisitor, nsIHttpHeaderVisitor)
+}  // namespace
+
 nsresult nsHttpResponseHead::GetOriginalHeader(const nsHttpAtom& aHeader,
                                                nsIHttpHeaderVisitor* aVisitor) {
   RecursiveMutexAutoLock monitor(mRecursiveMutex);
@@ -1241,12 +1273,15 @@ bool nsHttpResponseHead::HasContentCharset() {
   return !mContentCharset.IsEmpty();
 }
 
-bool nsHttpResponseHead::GetContentTypeOptionsHeader(
-    nsACString& aOutput) const {
+bool nsHttpResponseHead::GetContentTypeOptionsHeader(nsACString& aOutput) {
   aOutput.Truncate();
 
   nsAutoCString contentTypeOptionsHeader;
-  Unused << GetHeader(nsHttp::X_Content_Type_Options, contentTypeOptionsHeader);
+  // We need to fetch original headers and manually merge them because empty
+  // header values are not retrieved with GetHeader. Ref - Bug 1819642
+  RefPtr<ContentTypeOptionsVisitor> visitor = new ContentTypeOptionsVisitor();
+  Unused << GetOriginalHeader(nsHttp::X_Content_Type_Options, visitor);
+  visitor->GetMergedHeader(contentTypeOptionsHeader);
   if (contentTypeOptionsHeader.IsEmpty()) {
     // if there is no XCTO header, then there is nothing to do.
     return false;
@@ -1256,7 +1291,7 @@ bool nsHttpResponseHead::GetContentTypeOptionsHeader(
   // a) let's skip all subsequent values
   //     e.g. "   NoSniFF   , foo " will be "   NoSniFF   "
   int32_t idx = contentTypeOptionsHeader.Find(",");
-  if (idx > 0) {
+  if (idx >= 0) {
     contentTypeOptionsHeader = Substring(contentTypeOptionsHeader, 0, idx);
   }
   // b) let's trim all surrounding whitespace

netwerk/protocol/http/nsHttpResponseHead.h

@@ -144,7 +144,7 @@ class nsHttpResponseHead {
 
   bool HasContentType() const;
   bool HasContentCharset();
-  bool GetContentTypeOptionsHeader(nsACString& aOutput) const;
+  bool GetContentTypeOptionsHeader(nsACString& aOutput);
 
  private:
   [[nodiscard]] nsresult SetHeader_locked(const nsHttpAtom& atom,

testing/web-platform/meta/fetch/nosniff/parsing-nosniff.window.js.ini

@@ -1,4 +0,0 @@
-[parsing-nosniff.window.html]
-  [X-Content-Type-Options%3A%0D%0AX-Content-Type-Options%3A%20nosniff]
-    expected: FAIL
-