Closed Bug 453425 Opened 13 years ago Closed 11 years ago

Bugzilla should use "X-Content-Type-Options: nosniff" for attachments

Categories

(Bugzilla :: Attachments & Requests, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Bugzilla 4.0

People

(Reporter: gerv, Assigned: reed)

References

()

Details

Attachments

(1 file)

X-Content-Type-Options: nosniff
is IE 8's solution to its content-sniffing woes. See this blog post:
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

We should add this header to all Bugzilla attachments we serve.

Gerv
Definitely. Easy and something we've wanted for a long time.
Priority: -- → P1
Assignee: attach-and-request → colin.ogilvie
Taking...
Status: NEW → ASSIGNED
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up?

Gerv
Duplicate of this bug: 583904
Patch coming up.
Assignee: colin.ogilvie → attach-and-request
Status: ASSIGNED → NEW
Flags: blocking4.0?
Target Milestone: --- → Bugzilla 4.0
Attached patch patch - v1Splinter Review
Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #462254 - Flags: review?(LpSolit)
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).
Flags: blocking4.0? → blocking4.0+
Comment on attachment 462254 [details] [diff] [review]
patch - v1

Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Attachment #462254 - Flags: review?(LpSolit) → review+
Flags: approval4.0+
Flags: approval+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 7420.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
Committed revision 7363.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Keywords: relnote
Added to the release notes in bug 604256.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.