net/http: revert CL 89275 (don't sniff Content-Type when nosniff set)

Also updates the bundled http2 to x/net/http2 git rev 49c15d80 for:

   http2: revert CL 107295 (don't sniff Content-type in Server when nosniff)
   https://golang.org/cl/126895

Fixes #24795

Change-Id: I6ae1a21c919947089274e816eb628d20490f83ce
Reviewed-on: https://go-review.googlesource.com/126896Reviewed-by: Damien Neil <dneil@google.com>

doc/go1.11.html

@@ -677,10 +677,7 @@ for k := range m {
       methods will return errors after a shutdown or close.
     </p>
 
-    <p><!-- CL 89275 -->
-      The HTTP server will no longer automatically set the Content-Type if a
-      <code>Handler</code> sets the "<code>X-Content-Type-Options</code>" header to "<code>nosniff</code>".
-    </p>
+    <!-- CL 89275 was reverted before Go 1.11 -->
 
     <p><!-- CL 93296 -->
       The constant <code>StatusMisdirectedRequest</code> is now defined for HTTP status code 421.

src/net/http/h2_bundle.go

@@ -6135,16 +6135,8 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
 		}
 		_, hasContentType := rws.snapHeader["Content-Type"]
 		if !hasContentType && http2bodyAllowedForStatus(rws.status) && len(p) > 0 {
-			if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				ctype = "application/octet-stream"
-				rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
 			ctype = DetectContentType(p)
 		}
-		}
 		var date string
 		if _, ok := rws.snapHeader["Date"]; !ok {
 			// TODO(bradfitz): be faster here, like net/http? measure.

src/net/http/serve_test.go

@@ -3585,26 +3585,6 @@ func TestHeaderToWire(t *testing.T) {
 				return nil
 			},
 		},
-		{
-			name: "Nosniff without Content-type",
-			handler: func(rw ResponseWriter, r *Request) {
-				rw.Header().Set("X-Content-Type-Options", "nosniff")
-				rw.WriteHeader(200)
-				rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
-			},
-			check: func(got, logs string) error {
-				if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
-					return errors.New("Output should have an innocuous content-type")
-				}
-				if strings.Contains(got, "text/html") {
-					return errors.New("Output should not have a guess")
-				}
-				if !strings.Contains(logs, "X-Content-Type-Options:nosniff but no Content-Type") {
-					return errors.New("Expected log message")
-				}
-				return nil
-			},
-		},
 	}
 	for _, tc := range tests {
 		ht := newHandlerTest(HandlerFunc(tc.handler))

src/net/http/server.go

@@ -1360,16 +1360,8 @@ func (cw *chunkWriter) writeHeader(p []byte) {
 		// If no content type, apply sniffing algorithm to body.
 		_, haveType := header["Content-Type"]
 		if !haveType && !hasTE && len(p) > 0 {
-			if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
-				// nosniff is an explicit directive not to guess a content-type.
-				// Content-sniffing is no less susceptible to polyglot attacks via
-				// hosted content when done on the server.
-				setHeader.contentType = "application/octet-stream"
-				w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
-			} else {
 			setHeader.contentType = DetectContentType(p)
 		}
-		}
 	} else {
 		for _, k := range suppressedHeaders(code) {
 			delHeader(k)