X-Content-Type-Options: nosniff is IE 8's solution to its content-sniffing woes. See this blog post: http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx We should add this header to all Bugzilla attachments we serve. Gerv
Definitely. Easy and something we've wanted for a long time.
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up? Gerv
Patch coming up.
Created attachment 462254 [details] [diff] [review] patch - v1 Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).
Comment on attachment 462254 [details] [diff] [review] patch - v1 Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified attachment.cgi Committed revision 7420. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified attachment.cgi Committed revision 7363.
Added to the release notes in bug 604256.