Closed Bug 453425 Opened 13 years ago Closed 11 years ago
Bugzilla should use "X-Content-Type-Options: nosniff" for attachments
X-Content-Type-Options: nosniff is IE 8's solution to its content-sniffing woes. See this blog post: http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx We should add this header to all Bugzilla attachments we serve. Gerv
Definitely. Easy and something we've wanted for a long time.
Priority: -- → P1
Is this now obsoleted by the new attachments-in-domains stuff, or could we still have this for people who don't have the ability to set that up? Gerv
Patch coming up.
Assignee: colin.ogilvie → attach-and-request
Status: ASSIGNED → NEW
Target Milestone: --- → Bugzilla 4.0
Thought about making the header only display if the content-type is not equal to application/octet-stream, but I think it makes sense to always send it...
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #462254 - Flags: review?(LpSolit)
Note that MantisBT just added this to all their attachments, as per a recent security bug (http://www.mantisbt.org/bugs/view.php?id=11952).
Comment on attachment 462254 [details] [diff] [review] patch - v1 Tested with IE6, IE8 and IE9 + Fx, Opera, Chrome, Safari and Konqueror, and this is working fine. IE8 correctly stops sniffing the file content. Of course, IE6 doesn't care, as expected.
Attachment #462254 - Flags: review?(LpSolit) → review+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified attachment.cgi Committed revision 7420. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified attachment.cgi Committed revision 7363.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.