When the server says "nosniff" but then doesn't give us a Content-Type we now...

chrome/browser/renderer_host/buffered_resource_handler.cc

Index: chrome/browser/renderer_host/buffered_resource_handler.cc
===================================================================
--- chrome/browser/renderer_host/buffered_resource_handler.cc	(revision 8447)
+++ chrome/browser/renderer_host/buffered_resource_handler.cc	(working copy)
@@ -116,7 +116,8 @@
   request_->GetResponseHeaderByName("x-content-type-options",
                                     &content_type_options);
 
-  const bool sniffing_blocked = (content_type_options == "nosniff");
+  const bool sniffing_blocked =
+      LowerCaseEqualsASCII(content_type_options, "nosniff");

[darin (slow to review), 2009/01/23 15:59:05]

good fix

   const bool we_would_like_to_sniff =
       net::ShouldSniffMimeType(request_->url(), mime_type);
 
@@ -131,6 +132,14 @@
     return true;
   }
 
+  if (sniffing_blocked && mime_type.empty()) {
+    // Ugg.  The server told us not to sniff the content but didn't give us a
+    // mime type.  What's a browser to do?  Turns out, we're supposed to treat
+    // the response as "text/plain".  This is the most secure option.
+    mime_type.assign("text/plain");
+    response_->response_head.mime_type.assign(mime_type);
+  }
+
   if (ShouldBuffer(request_->url(), mime_type)) {
     // This is a temporary fix for the fact that webkit expects to have
     // enough data to decode the doctype in order to select the rendering