Closed Bug 1579176 Opened 6 years ago Closed 5 years ago

Sniffing prevention via "X-Content-Type-Options: nosniff" should probably also disable stream converters

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bzbarsky, Assigned: sstreich)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 obsolete file)

The patch in bug 1428473 doesn't change whether the code at https://searchfox.org/mozilla-central/rev/e5327b05c822cdac24e233afa37d72c0552dbbaf/uriloader/base/nsURILoader.cpp#501-519 runs. Should it have? It seems like we wouldn't want to do that if nosniff is specified...

Basti, can you take a look please?

Flags: needinfo?(sstreich)
Assignee: nobody → sstreich
Flags: needinfo?(sstreich)
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Attachment #9092305 - Attachment is obsolete: true

Is there anything left to do here or can we close this one?

Flags: needinfo?(sstreich)

Using ZAP and Firefox 77.0.1 we still get "X-Content-Type-Options Header Missing" (The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff') for URLs:

https://tracking-protection.cdn.mozilla.net/..../.../....

(In reply to Chris Potter from comment #4)

Using ZAP and Firefox 77.0.1 we still get "X-Content-Type-Options Header Missing" (The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff') for URLs:

https://tracking-protection.cdn.mozilla.net/..../.../....

and also

https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=77.0&pver=2.2

Hey Chris, those links don't work for me at least.
But in case the problem is that "tracking-protection.cdn.mozilla.net" and shavar services are not sending nosniff, this is sadly the wrong bug.
Could you maybe file a bug for that directly on the shavar issue page? - In case it's not, just comment and i will reopen the bug :)

Christoph, I'll close the bug, we currently can't disable the streaming converters, as we rely on nsUnknownDecoder for the case we don't get a mime type at all.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(sstreich)
Resolution: --- → WONTFIX

Hey Sebastien,

I thought that external call (*.mozilla.net, *.mozilla.org) responsibilities belongs to Mozilla foundation. I think it could hurt Firefox reputation to have medium security alerts.
Having no time to report this bug elsewhere for now you can close this one if it is convenient for you
Best,

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: