Send 'X-Content-Type-Options: nosniff' header on attachments with a content-type to prevent IE from sniffing

RESOLVED DUPLICATE of bug 453425

Status

()

Bugzilla
Attachments & Requests
--
enhancement
RESOLVED DUPLICATE of bug 453425
8 years ago
6 years ago

People

(Reporter: reed, Unassigned)

Tracking

Details

(Reporter)

Description

8 years ago
I was reading the patch MantisBT implemented for http://www.mantisbt.org/bugs/view.php?id=11952 (http://www.mantisbt.org/blog/?p=113), and I came across something we should probably do in Bugzilla.

There is a header that we can send to make IE not second-guess the content-type we're sending with attachments. Documentation is available at http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx, but basically, we just need to send 'X-Content-Type-Options: nosniff' on attachments.

We're pretty secure as-is with regards to handling attachments, but I think this would help protect us more, especially on IE...
Flags: blocking4.0?

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 453425

Updated

8 years ago
Target Milestone: Bugzilla 4.0 → ---

Updated

8 years ago
Flags: blocking4.0?
You need to log in before you can comment on or make changes to this bug.