Add latest changes from gitlab-org/gitlab@master

2 files changed, 6 insertions, 0 deletions

diff --git a/workhorse/internal/staticpages/servefile.go b/workhorse/internal/staticpages/servefile.go
index be314f181b7..18fcdadcbed 100644
--- a/workhorse/internal/staticpages/servefile.go
+++ b/workhorse/internal/staticpages/servefile.go
@@ -67,6 +67,9 @@ func (s *Static) ServeExisting(prefix urlprefix.Prefix, cache CacheMode, notFoun
 			notFoundHandler.ServeHTTP(w, r)
 			return
 		}
+
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
 		defer content.Close()
 
 		switch cache {
diff --git a/workhorse/internal/staticpages/servefile_test.go b/workhorse/internal/staticpages/servefile_test.go
index f27bd0ccaeb..67675beccf8 100644
--- a/workhorse/internal/staticpages/servefile_test.go
+++ b/workhorse/internal/staticpages/servefile_test.go
@@ -78,6 +78,7 @@ func TestServingTheActualFile(t *testing.T) {
 	w := httptest.NewRecorder()
 	st := &Static{DocumentRoot: dir}
 	st.ServeExisting("/", CacheDisabled, nil).ServeHTTP(w, httpRequest)
+	testhelper.RequireResponseHeader(t, w, "X-Content-Type-Options", "nosniff")
 	require.Equal(t, 200, w.Code)
 	if w.Body.String() != fileContent {
 		t.Error("We should serve the file: ", w.Body.String())
@@ -109,6 +110,7 @@ func TestExcludedPaths(t *testing.T) {
 			st.ServeExisting("/", CacheDisabled, nil).ServeHTTP(w, httpRequest)
 
 			if tc.found {
+				testhelper.RequireResponseHeader(t, w, "X-Content-Type-Options", "nosniff")
 				require.Equal(t, 200, w.Code)
 				require.Equal(t, tc.contents, w.Body.String())
 			} else {
@@ -144,6 +146,7 @@ func testServingThePregzippedFile(t *testing.T, enableGzip bool) {
 	w := httptest.NewRecorder()
 	st := &Static{DocumentRoot: dir}
 	st.ServeExisting("/", CacheDisabled, nil).ServeHTTP(w, httpRequest)
+	testhelper.RequireResponseHeader(t, w, "X-Content-Type-Options", "nosniff")
 	require.Equal(t, 200, w.Code)
 	if enableGzip {
 		testhelper.RequireResponseHeader(t, w, "Content-Encoding", "gzip")