Closed
Bug 671612
Opened 14 years ago
Closed 12 years ago
Send "X-Content-Type-Options: nosniff" with every response
Categories
(Bugzilla :: Bugzilla-General, enhancement)
Bugzilla
Bugzilla-General
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: mkanat, Assigned: selsky)
Details
Attachments
(1 file)
|
1.95 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
It just occurred to me that we should be sending "X-Content-Type-Options: nosniff" along with *every* response, not just with attachments. We specify a valid content-type always, on all our pages, and we never want IE or any browser sniffing.
|
||
Comment 1•14 years ago
|
||
Why does it matter, outside attachments?
|
Reporter | |
Comment 2•14 years ago
|
||
(In reply to comment #1)
> Why does it matter, outside attachments?
Who can say? Maybe some extension will want to use it, maybe we have some pages that might otherwise be sniffed. There are various valid security situations which could come up in the future where this would be useful on all our pages. (I'm happy to describe some of them to you privately if you'd like.)
|
|
||
Comment 3•14 years ago
|
||
(In reply to comment #2)
> I'm happy to describe some of them to you privately if you'd like.
Yes, please! :)
Note that I'm not opposed to this proposal (as it's trivial to implement). But I just want to understand what are the security implications you are talking about. I doubt that most websites around the world pass this response, and they are still working fine.
|
|
Reporter | |
Comment 4•14 years ago
|
||
(In reply to comment #3)
> (In reply to comment #2)
> > I'm happy to describe some of them to you privately if you'd like.
>
> Yes, please! :)
Okay. Grab me on IRC.
> I doubt that most websites around the world pass this
> response, and they are still working fine.
Actually, quite a few are starting to, now that Safari, IE 8, and IE 9 are becoming more popular. Also, I would say that "most websites around the world" have a poor security posture. :-)
|
|
||
Updated•13 years ago
|
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
|
Assignee | |
Comment 5•13 years ago
|
||
|
||
Comment 6•13 years ago
|
||
yep, we should do this... +1 from me.
|
|
||
Comment 7•13 years ago
|
||
Comment on attachment 627623 [details] [diff] [review]
Add header to all responses, v1
r=LpSolit
Attachment #627623 -
Flags: review?(LpSolit) → review+
|
|
||
Updated•13 years ago
|
Flags: approval+
|
|
||
Comment 8•13 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8249.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•12 years ago
|
||
Requesting approval to land this on 4.2 as well in order to better prevent some IE-specific XSS issues.
Status: RESOLVED → REOPENED
Flags: approval4.2?
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.2
|
|
||
Updated•12 years ago
|
Flags: approval4.2? → approval4.2+
|
|
||
Comment 10•12 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8136.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•12 years ago
|
||
Added to relnotes for 4.4 and 4.2.4.
You need to log in
before you can comment on or make changes to this bug.
Description
•