I was reading the patch MantisBT implemented for http://www.mantisbt.org/bugs/view.php?id=11952 (http://www.mantisbt.org/blog/?p=113), and I came across something we should probably do in Bugzilla. There is a header that we can send to make IE not second-guess the content-type we're sending with attachments. Documentation is available at http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx, but basically, we just need to send 'X-Content-Type-Options: nosniff' on attachments. We're pretty secure as-is with regards to handling attachments, but I think this would help protect us more, especially on IE...
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 453425
You need to log in before you can comment on or make changes to this bug.