Closed
Bug 1594766
Opened 6 years ago
Closed 6 years ago
Decide whether to continue ignoring XCTO Nosniff when Content Type is Empty, or to enforce
Categories
(Core :: DOM: Security, task, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla75
| Tracking | Status | |
|---|---|---|
| firefox75 | --- | fixed |
People
(Reporter: sstreich, Assigned: sstreich)
References
Details
(Keywords: site-compat, Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
In Bug 1591932 we've added the workaround to ignore nosniff if we do not get a content-type.
This was needed as we encountered some pages breaking with the strict variant of nosniff.
We should wait for telemetry it is necessary to keep the workaround or if can safely remove it.
|
||
Comment 1•6 years ago
|
||
We weren't 100% what this bug was saying needs to happen. Changed the title and bug type (defect -> task) to reflect our best guess. Please correct if wrong.
Type: defect → task
Flags: needinfo?(sstreich)
Priority: -- → P3
Summary: XTCO Nosniff is ignored if Content Type is Empty → Decide whether to continue ignoring XCTO Nosniff when Content Type is Empty, or to enforce
Whiteboard: [domsecurity-backlog2]
|
||
Comment 2•6 years ago
|
||
We should at least exclude content types that can run scripts even if we keep sniffing.
|
Assignee | |
Comment 4•6 years ago
•
|
||
As telemetry shows there is no real risk of breakage, we should move this forward and finally stop sniffing at all if nosniff is enabled :)
|
||
Updated•6 years ago
|
Assignee: nobody → sstreich
Status: NEW → ASSIGNED
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d403fec7dda7
Respect Nosniff header for empty content-types r=ckerschb
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in
before you can comment on or make changes to this bug.
Description
•