Closed Bug 1579772 Opened 6 years ago Closed 6 years ago

Firefox X-Content-Type-Options: nosniff did not take effect

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1428473

People

(Reporter: dddliv3, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

Open http://3mnk13j8.3cm.me/nosniff in Firefox 69.0 release(https://www.mozilla.org/en-US/firefox/69.0/releasenotes/)

The javascript code "alert(1)" is executed

Actual results:

The HTTP Response Headers have "Content-Type: aaa" and "X-Content-Type-Options: nosniff"

But the javascript code in the script tag is still executed.

Expected results:

Firefox should not sniff page content, the javascript code will not be executed, you can refer to Chrome / Safari's behavior

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core

Hey! 👋
The Bug has already been fixed and the patch landed in Firefox 70.
Just tested this on Beta - Prompts a download and does execute the Script :)

See Also: → 1428473

Right! Feels like a straightforward dupe then...

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
See Also: 1428473
Group: core-security
You need to log in before you can comment on or make changes to this bug.