As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 453425 - Bugzilla should use "X-Content-Type-Options: nosniff" for attachments
: Bugzilla should use "X-Content-Type-Options: nosniff" for attachments
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: unspecified
: All All
: P1 enhancement (vote)
: Bugzilla 4.0
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
: 583904 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2008-09-03 03:02 PDT by Gervase Markham [:gerv]
Modified: 2010-10-21 19:39 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.0+
mkanat: blocking4.0+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch - v1 (557 bytes, patch)
2010-08-02 16:48 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review

Description User image Gervase Markham [:gerv] 2008-09-03 03:02:17 PDT
X-Content-Type-Options: nosniff
is IE 8's solution to its content-sniffing woes. See this blog post:

We should add this header to all Bugzilla attachments we serve.

Comment 1 User image Max Kanat-Alexander 2008-09-04 00:42:19 PDT
Definitely. Easy and something we've wanted for a long time.
Comment 2 User image Colin Ogilvie [:cso] 2008-09-04 01:15:52 PDT
Comment 3 User image Gervase Markham [:gerv] 2009-10-08 09:39:12 PDT
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up?

Comment 4 User image Max Kanat-Alexander 2010-08-02 16:33:13 PDT
*** Bug 583904 has been marked as a duplicate of this bug. ***
Comment 5 User image Reed Loden [:reed] (use needinfo?) 2010-08-02 16:35:27 PDT
Patch coming up.
Comment 6 User image Reed Loden [:reed] (use needinfo?) 2010-08-02 16:48:29 PDT
Created attachment 462254 [details] [diff] [review]
patch - v1

Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Comment 7 User image Reed Loden [:reed] (use needinfo?) 2010-08-02 16:50:23 PDT
Note that MantisBT just added this to all their attachments, as per a recent security bug (
Comment 8 User image Frédéric Buclin 2010-08-03 09:38:28 PDT
Comment on attachment 462254 [details] [diff] [review]
patch - v1

Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Comment 9 User image Reed Loden [:reed] (use needinfo?) 2010-08-03 10:52:44 PDT
Committing to: bzr+ssh://
modified attachment.cgi
Committed revision 7420.

Committing to: bzr+ssh://
modified attachment.cgi
Committed revision 7363.
Comment 10 User image Max Kanat-Alexander 2010-10-21 19:39:52 PDT
Added to the release notes in bug 604256.

Note You need to log in before you can comment on or make changes to this bug.