Bugzilla should use "X-Content-Type-Options: nosniff" for attachments

RESOLVED FIXED in Bugzilla 4.0

Status

()

P1
enhancement
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: gerv, Assigned: reed)

Tracking

unspecified
Bugzilla 4.0
Bug Flags:
approval +
approval4.0 +
blocking4.0 +

Details

(URL)

Attachments

(1 attachment)

X-Content-Type-Options: nosniff
is IE 8's solution to its content-sniffing woes. See this blog post:
http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

We should add this header to all Bugzilla attachments we serve.

Gerv
Definitely. Easy and something we've wanted for a long time.
Priority: -- → P1

Updated

11 years ago
Assignee: attach-and-request → colin.ogilvie
Taking...

Updated

11 years ago
Status: NEW → ASSIGNED
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up?

Gerv

Updated

9 years ago
Duplicate of this bug: 583904
Patch coming up.
Assignee: colin.ogilvie → attach-and-request
Status: ASSIGNED → NEW
Flags: blocking4.0?
Target Milestone: --- → Bugzilla 4.0
Created attachment 462254 [details] [diff] [review]
patch - v1

Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #462254 - Flags: review?(LpSolit)
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).

Updated

9 years ago
Flags: blocking4.0? → blocking4.0+

Comment 8

9 years ago
Comment on attachment 462254 [details] [diff] [review]
patch - v1

Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Attachment #462254 - Flags: review?(LpSolit) → review+

Updated

9 years ago
Flags: approval4.0+
Flags: approval+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 7420.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
Committed revision 7363.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Updated

9 years ago
Keywords: relnote
Added to the release notes in bug 604256.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.