Do not add or replace Content-Type header

If the Content-Type is missing or not application/pdf, then we serve the file
with Content-Disposition: attachment.

Iterate through the headers in a way that avoids adding duplicate headers.

Author: masenf

packages/reflex-components-core/src/reflex_components_core/core/_upload.py

@@ -577,6 +577,11 @@ async def _upload_chunk_file(
     return Response(status_code=202)
 
 
+header_content_disposition = b"content-disposition"
+header_content_type = b"content-type"
+header_x_content_type_options = b"x-content-type-options"
+
+
 class UploadedFilesHeadersMiddleware:
     """ASGI middleware that adds security headers to uploaded file responses."""
 
@@ -600,16 +605,28 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
             await self.app(scope, receive, send)
             return
 
-        is_pdf = scope.get("path", "").lower().endswith(".pdf")
-
         async def send_with_headers(message: MutableMapping[str, Any]) -> None:
             if message["type"] == "http.response.start":
-                headers = list(message.get("headers", []))
-                headers.append((b"x-content-type-options", b"nosniff"))
-                if is_pdf:
-                    headers.append((b"content-type", b"application/pdf"))
-                else:
-                    headers.append((b"content-disposition", b"attachment"))
+                content_disposition = None
+                content_type = None
+                headers = [(header_x_content_type_options, b"nosniff")]
+                for header_name, header_value in message.get("headers", []):
+                    lower_name = header_name.lower()
+                    if lower_name == header_content_disposition:
+                        content_disposition = header_value.lower()
+                        # Always append content-disposition header if non-empty.
+                        continue
+                    if lower_name == header_x_content_type_options:
+                        # Always replace this value with "nosniff", so ignore existing value.
+                        continue
+                    if lower_name == header_content_type:
+                        content_type = header_value.lower()
+                    headers.append((header_name, header_value))
+                if content_type != b"application/pdf":
+                    # Unknown content or non-PDF forces download.
+                    content_disposition = b"attachment"
+                if content_disposition:
+                    headers.append((header_content_disposition, content_disposition))
                 message = {**message, "headers": headers}
             await send(message)
 

tests/integration/test_upload.py

@@ -749,17 +749,44 @@ def test_upload_download_file(
     assert downloaded_file.read_text() == exp_contents
 
 
+@pytest.mark.parametrize(
+    ("exp_name", "exp_contents", "expect_attachment", "expected_mime_type"),
+    [
+        (
+            "malicious.html",
+            "<html><body><script>alert('xss')</script></body></html>",
+            True,
+            "text/html; charset=utf-8",
+        ),
+        ("document.pdf", "%PDF-1.4 fake pdf contents", False, "application/pdf"),
+        ("readme.txt", "plain text contents", True, "text/plain; charset=utf-8"),
+    ],
+    ids=["html", "pdf", "txt"],
+)
 def test_uploaded_file_security_headers(
     tmp_path,
     upload_file: AppHarness,
     driver: WebDriver,
+    exp_name: str,
+    exp_contents: str,
+    expect_attachment: bool,
+    expected_mime_type: str,
 ):
-    """Upload an HTML file and verify security headers prevent inline rendering.
+    """Upload a file and verify security headers on the served response.
+
+    For non-PDF files, Content-Disposition: attachment must be set to force a
+    download.  For PDF files, Content-Disposition must NOT be set so the browser
+    can render them inline, but Content-Type: application/pdf is always present.
+    X-Content-Type-Options: nosniff is always required.
 
     Args:
         tmp_path: pytest tmp_path fixture
         upload_file: harness for UploadFile app.
         driver: WebDriver instance.
+        exp_name: filename to upload.
+        exp_contents: file contents to upload.
+        expect_attachment: whether the response should force a download.
+        expected_mime_type: expected Content-Type mime type.
     """
     import httpx
     from reflex_base.config import get_config
@@ -772,8 +799,6 @@ def test_uploaded_file_security_headers(
     upload_box = driver.find_elements(By.XPATH, "//input[@type='file']")[2]
     upload_button = driver.find_element(By.ID, "upload_button_tertiary")
 
-    exp_name = "malicious.html"
-    exp_contents = "<html><body><script>alert('xss')</script></body></html>"
     target_file = tmp_path / exp_name
     target_file.write_text(exp_contents)
 
@@ -788,8 +813,17 @@ def test_uploaded_file_security_headers(
     resp = httpx.get(upload_url)
     assert resp.status_code == 200
     assert resp.text == exp_contents
-    assert resp.headers["content-disposition"] == "attachment"
     assert resp.headers["x-content-type-options"] == "nosniff"
+    assert resp.headers["content-type"] == expected_mime_type
+
+    if expect_attachment:
+        assert resp.headers["content-disposition"] == "attachment"
+    else:
+        assert "content-disposition" not in resp.headers
+
+    if not expect_attachment:
+        # PDF: no browser download test needed, skip the rest.
+        return
 
     # Configure the download directory using CDP.
     download_dir = tmp_path / "downloads"