Last Comment Bug 453425 - Bugzilla should use "X-Content-Type-Options: nosniff" for attachments
: Bugzilla should use "X-Content-Type-Options: nosniff" for attachments
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: unspecified
: All All
: P1 enhancement (vote)
: Bugzilla 4.0
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Mentors:
http://blogs.msdn.com/ie/archive/2008...
: 583904 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-03 03:02 PDT by Gervase Markham [:gerv]
Modified: 2010-10-21 19:39 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.0+
mkanat: blocking4.0+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (557 bytes, patch)
2010-08-02 16:48 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Review

Description Gervase Markham [:gerv] 2008-09-03 03:02:17 PDT
X-Content-Type-Options: nosniff
is IE 8's solution to its content-sniffing woes. See this blog post:
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

We should add this header to all Bugzilla attachments we serve.

Gerv
Comment 1 Max Kanat-Alexander 2008-09-04 00:42:19 PDT
Definitely. Easy and something we've wanted for a long time.
Comment 2 Colin Ogilvie [:cso] 2008-09-04 01:15:52 PDT
Taking...
Comment 3 Gervase Markham [:gerv] 2009-10-08 09:39:12 PDT
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up?

Gerv
Comment 4 Max Kanat-Alexander 2010-08-02 16:33:13 PDT
*** Bug 583904 has been marked as a duplicate of this bug. ***
Comment 5 Reed Loden [:reed] (use needinfo?) 2010-08-02 16:35:27 PDT
Patch coming up.
Comment 6 Reed Loden [:reed] (use needinfo?) 2010-08-02 16:48:29 PDT
Created attachment 462254 [details] [diff] [review]
patch - v1

Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Comment 7 Reed Loden [:reed] (use needinfo?) 2010-08-02 16:50:23 PDT
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).
Comment 8 Frédéric Buclin 2010-08-03 09:38:28 PDT
Comment on attachment 462254 [details] [diff] [review]
patch - v1

Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Comment 9 Reed Loden [:reed] (use needinfo?) 2010-08-03 10:52:44 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 7420.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
Committed revision 7363.
Comment 10 Max Kanat-Alexander 2010-10-21 19:39:52 PDT
Added to the release notes in bug 604256.

Note You need to log in before you can comment on or make changes to this bug.