Closed Bug 671612 Opened 13 years ago Closed 12 years ago

Send "X-Content-Type-Options: nosniff" with every response

Categories

(Bugzilla :: Bugzilla-General, enhancement)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.2

People

(Reporter: mkanat, Assigned: selsky)

Details

Attachments

(1 file)

Add header to all responses, v1
1.95 KB, patch
LpSolit
: review+
Details | Diff | Splinter Review 
It just occurred to me that we should be sending "X-Content-Type-Options: nosniff" along with *every* response, not just with attachments. We specify a valid content-type always, on all our pages, and we never want IE or any browser sniffing.
Why does it matter, outside attachments?
(In reply to comment #1)
> Why does it matter, outside attachments?

  Who can say? Maybe some extension will want to use it, maybe we have some pages that might otherwise be sniffed. There are various valid security situations which could come up in the future where this would be useful on all our pages. (I'm happy to describe some of them to you privately if you'd like.)
(In reply to comment #2)
> I'm happy to describe some of them to you privately if you'd like.

Yes, please! :)

Note that I'm not opposed to this proposal (as it's trivial to implement). But I just want to understand what are the security implications you are talking about. I doubt that most websites around the world pass this response, and they are still working fine.
(In reply to comment #3)
> (In reply to comment #2)
> > I'm happy to describe some of them to you privately if you'd like.
> 
> Yes, please! :)

  Okay. Grab me on IRC.

> I doubt that most websites around the world pass this
> response, and they are still working fine.

  Actually, quite a few are starting to, now that Safari, IE 8, and IE 9 are becoming more popular. Also, I would say that "most websites around the world" have a poor security posture. :-)
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
Assignee: general → selsky
Status: NEW → ASSIGNED

        Attachment #627623 -
        Flags: review?(LpSolit)

    
    

    
  
yep, we should do this... +1 from me.

    
    

    
  
Comment on attachment 627623 [details] [diff] [review]
Add header to all responses, v1

r=LpSolit

        Attachment #627623 -
        Flags: review?(LpSolit) → review+

    
  
Flags: approval+

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8249.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Requesting approval to land this on 4.2 as well in order to better prevent some IE-specific XSS issues.
Status: RESOLVED → REOPENED
Flags: approval4.2?
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.2

    
  
Flags: approval4.2? → approval4.2+

    
    

    
  
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8136.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED

    
    

    
  
Added to relnotes for 4.4 and 4.2.4.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: