Closed Bug 583904 Opened 14 years ago Closed 14 years ago

Send 'X-Content-Type-Options: nosniff' header on attachments with a content-type to prevent IE from sniffing

Categories

(Bugzilla :: Attachments & Requests, enhancement)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
3.6.1
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 453425

People

(Reporter: reed, Unassigned)

Details

I was reading the patch MantisBT implemented for http://www.mantisbt.org/bugs/view.php?id=11952 (http://www.mantisbt.org/blog/?p=113), and I came across something we should probably do in Bugzilla.

There is a header that we can send to make IE not second-guess the content-type we're sending with attachments. Documentation is available at http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx, but basically, we just need to send 'X-Content-Type-Options: nosniff' on attachments.

We're pretty secure as-is with regards to handling attachments, but I think this would help protect us more, especially on IE...
Flags: blocking4.0?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Target Milestone: Bugzilla 4.0 → ---
Flags: blocking4.0?
You need to log in before you can comment on or make changes to this bug.