Bugzilla should use "X-Content-Type-Options: nosniff" for attachments

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Attachments & Requests
P1
enhancement
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: gerv, Assigned: reed)

Tracking

unspecified
Bugzilla 4.0
Bug Flags:
approval +
approval4.0 +
blocking4.0 +

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
X-Content-Type-Options: nosniff
is IE 8's solution to its content-sniffing woes. See this blog post:
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

We should add this header to all Bugzilla attachments we serve.

Gerv

Comment 1

9 years ago
Definitely. Easy and something we've wanted for a long time.
Priority: -- → P1

Updated

9 years ago
Assignee: attach-and-request → colin.ogilvie

Comment 2

9 years ago
Taking...

Updated

9 years ago
Status: NEW → ASSIGNED
(Reporter)

Comment 3

8 years ago
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up?

Gerv

Updated

7 years ago
Duplicate of this bug: 583904
(Assignee)

Comment 5

7 years ago
Patch coming up.
Assignee: colin.ogilvie → attach-and-request
Status: ASSIGNED → NEW
Flags: blocking4.0?
Target Milestone: --- → Bugzilla 4.0
(Assignee)

Comment 6

7 years ago
Created attachment 462254 [details] [diff] [review]
patch - v1

Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #462254 - Flags: review?(LpSolit)
(Assignee)

Comment 7

7 years ago
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).

Updated

7 years ago
Flags: blocking4.0? → blocking4.0+

Comment 8

7 years ago
Comment on attachment 462254 [details] [diff] [review]
patch - v1

Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Attachment #462254 - Flags: review?(LpSolit) → review+

Updated

7 years ago
Flags: approval4.0+
Flags: approval+
(Assignee)

Comment 9

7 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 7420.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
Committed revision 7363.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

7 years ago
Keywords: relnote

Comment 10

7 years ago
Added to the release notes in bug 604256.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.