Closed
Bug 583904
Opened 14 years ago
Closed 14 years ago
Send 'X-Content-Type-Options: nosniff' header on attachments with a content-type to prevent IE from sniffing
Categories
(Bugzilla :: Attachments & Requests, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 453425
People
(Reporter: reed, Unassigned)
Details
I was reading the patch MantisBT implemented for http://www.mantisbt.org/bugs/view.php?id=11952 (http://www.mantisbt.org/blog/?p=113), and I came across something we should probably do in Bugzilla.
There is a header that we can send to make IE not second-guess the content-type we're sending with attachments. Documentation is available at http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx, but basically, we just need to send 'X-Content-Type-Options: nosniff' on attachments.
We're pretty secure as-is with regards to handling attachments, but I think this would help protect us more, especially on IE...
Flags: blocking4.0?
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
Target Milestone: Bugzilla 4.0 → ---
Updated•14 years ago
|
Flags: blocking4.0?
You need to log in
before you can comment on or make changes to this bug.
Description
•