Check the X-Content-Type-Options in text/html responses only

StJudeWasHere · Oct 30, 2023 · 8d2118f · 8d2118f
1 parent 961abf5
commit 8d2118f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/internal/report_manager/reporters/security.go b/internal/report_manager/reporters/security.go
@@ -73,6 +73,10 @@ func NewMissingCSPReporter() *report_manager.PageIssueReporter {
 // The callback returns true if the header does not exist.
 func NewMissingContentTypeOptionsReporter() *report_manager.PageIssueReporter {
 	c := func(pageReport *models.PageReport, htmlNode *html.Node, header *http.Header) bool {
+		if pageReport.MediaType != "text/html" {
+			return false
+		}
+
 		contentTypeOptions := header.Get("X-Content-Type-Options")
 
 		return contentTypeOptions != "nosniff"

diff --git a/internal/report_manager/reporters/security_test.go b/internal/report_manager/reporters/security_test.go
@@ -155,6 +155,12 @@ func TestMissingCSPIssues(t *testing.T) {
 // Test the MissingHSTSHeader reporter with X-Content-Type-Options header.
 // The reporter should not report the issue.
 func TestMissingContentTypeOptionsNoIssues(t *testing.T) {
+	pageReport := &models.PageReport{
+		Crawled:    true,
+		MediaType:  "text/html",
+		StatusCode: 200,
+	}
+
 	reporter := reporters.NewMissingContentTypeOptionsReporter()
 	if reporter.ErrorType != reporter_errors.ErrorContentTypeOptions {
 		t.Errorf("error type is not correct")
@@ -164,7 +170,7 @@ func TestMissingContentTypeOptionsNoIssues(t *testing.T) {
 	header.Set("X-Content-Type-Options", "nosniff")
 
 	// Run the reporter callback with the PageReport.
-	reportsIssue := reporter.Callback(&models.PageReport{}, &html.Node{}, header)
+	reportsIssue := reporter.Callback(pageReport, &html.Node{}, header)
 
 	// The reporter should not found any issue.
 	if reportsIssue == true {
@@ -175,13 +181,19 @@ func TestMissingContentTypeOptionsNoIssues(t *testing.T) {
 // Test the MissingHSTSHeader reporter without the X-Content-Type-Options header.
 // The reporter should report the issue.
 func TestMissingContentTypeOptionsIssues(t *testing.T) {
+	pageReport := &models.PageReport{
+		Crawled:    true,
+		MediaType:  "text/html",
+		StatusCode: 200,
+	}
+
 	reporter := reporters.NewMissingContentTypeOptionsReporter()
 	if reporter.ErrorType != reporter_errors.ErrorContentTypeOptions {
 		t.Errorf("error type is not correct")
 	}
 
 	// Run the reporter callback with the PageReport.
-	reportsIssue := reporter.Callback(&models.PageReport{}, &html.Node{}, &http.Header{})
+	reportsIssue := reporter.Callback(pageReport, &html.Node{}, &http.Header{})
 
 	// The reporter should not found any issue.
 	if reportsIssue == false {