From 8287289bcbcc355bdbcc4d1247da624616210d3b Mon Sep 17 00:00:00 2001
From: joerg-richter-5234 <scn.joerg.richter@outlook.com>
Date: Sat, 20 May 2023 13:07:15 +0200
Subject: [PATCH] Fix XContentTypeOptionsServerHttpHeadersWriter

set constant value to X-Content-Type-Options

Closes gh-13155
---
 ...entTypeOptionsServerHttpHeadersWriter.java |  2 +-
 ...peOptionsServerHttpHeadersWriterTests.java | 41 +++++++++++++++++--
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriter.java b/web/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriter.java
index 0f65321d8c..cd7d1b4e43 100644
--- a/web/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriter.java
+++ b/web/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriter.java
@@ -28,7 +28,7 @@ import org.springframework.web.server.ServerWebExchange;
  */
 public class XContentTypeOptionsServerHttpHeadersWriter implements ServerHttpHeadersWriter {
 
-	public static final String X_CONTENT_OPTIONS = "X-Content-Options";
+	public static final String X_CONTENT_OPTIONS = "X-Content-Type-Options";
 
 	public static final String NOSNIFF = "nosniff";
 
diff --git a/web/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriterTests.java b/web/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriterTests.java
index a48583ddc3..9ffecbcf5d 100644
--- a/web/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriterTests.java
@@ -32,11 +32,14 @@ import static org.assertj.core.api.Assertions.assertThat;
 public class XContentTypeOptionsServerHttpHeadersWriterTests {
 
 	ContentTypeOptionsServerHttpHeadersWriter writer = new ContentTypeOptionsServerHttpHeadersWriter();
-
 	ServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
-
 	HttpHeaders headers = this.exchange.getResponse().getHeaders();
 
+
+	XContentTypeOptionsServerHttpHeadersWriter writerXContentType = new XContentTypeOptionsServerHttpHeadersWriter();
+	ServerWebExchange exchangeXContentType = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
+	HttpHeaders headersXContentType = this.exchangeXContentType.getResponse().getHeaders();
+
 	@Test
 	public void writeHeadersWhenNoHeadersThenWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
@@ -46,7 +49,7 @@ public class XContentTypeOptionsServerHttpHeadersWriterTests {
 	}
 
 	@Test
-	public void writeHeadersWhenHeaderWrittenThenDoesNotOverrride() {
+	public void writeHeadersWhenHeaderWrittenThenDoesNotOverride() {
 		String headerValue = "value";
 		this.headers.set(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
@@ -55,4 +58,36 @@ public class XContentTypeOptionsServerHttpHeadersWriterTests {
 				.containsOnly(headerValue);
 	}
 
+	@Test
+	public void constantsMatchExpectedHeaderAndValue() {
+		assertThat(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS)
+				.isEqualTo("X-Content-Type-Options");
+		assertThat(ContentTypeOptionsServerHttpHeadersWriter.NOSNIFF).isEqualTo("nosniff");
+	}
+
+	@Test
+	public void writeHeadersWhenNoHeadersThenWriteHeadersForXContentTypeOptionsServerHttpHeadersWriter() {
+		this.writerXContentType.writeHttpHeaders(this.exchangeXContentType);
+		assertThat(this.headersXContentType).hasSize(1);
+		assertThat(this.headersXContentType.get(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
+				.containsOnly(XContentTypeOptionsServerHttpHeadersWriter.NOSNIFF);
+	}
+
+	@Test
+	public void writeHeadersWhenHeaderWrittenThenDoesNotOverrideForXContentTypeOptionsServerHttpHeadersWriter() {
+		String headerValue = "value";
+		this.headersXContentType.set(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
+		this.writerXContentType.writeHttpHeaders(this.exchangeXContentType);
+		assertThat(this.headersXContentType).hasSize(1);
+		assertThat(this.headersXContentType.get(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
+				.containsOnly(headerValue);
+	}
+
+	@Test
+	public void constantsMatchExpectedHeaderAndValueForXContentTypeOptionsServerHttpHeadersWriter() {
+		assertThat(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS)
+				.isEqualTo("X-Content-Type-Options");
+		assertThat(XContentTypeOptionsServerHttpHeadersWriter.NOSNIFF).isEqualTo("nosniff");
+	}
+
 }