Last Comment Bug 671612 - Send "X-Content-Type-Options: nosniff" with every response
: Send "X-Content-Type-Options: nosniff" with every response
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: All All
: -- enhancement (vote)
: Bugzilla 4.2
Assigned To: Matt Selsky [:selsky]
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-14 11:19 PDT by Max Kanat-Alexander
Modified: 2012-11-01 11:27 PDT (History)
2 users (show)
LpSolit: approval+
LpSolit: approval4.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Add header to all responses, v1 (1.95 KB, patch)
2012-05-27 23:28 PDT, Matt Selsky [:selsky]
LpSolit: review+
Details | Diff | Splinter Review

Description Max Kanat-Alexander 2011-07-14 11:19:35 PDT
It just occurred to me that we should be sending "X-Content-Type-Options: nosniff" along with *every* response, not just with attachments. We specify a valid content-type always, on all our pages, and we never want IE or any browser sniffing.
Comment 1 Frédéric Buclin 2011-07-17 08:43:36 PDT
Why does it matter, outside attachments?
Comment 2 Max Kanat-Alexander 2011-07-19 15:52:23 PDT
(In reply to comment #1)
> Why does it matter, outside attachments?

  Who can say? Maybe some extension will want to use it, maybe we have some pages that might otherwise be sniffed. There are various valid security situations which could come up in the future where this would be useful on all our pages. (I'm happy to describe some of them to you privately if you'd like.)
Comment 3 Frédéric Buclin 2011-07-20 02:36:13 PDT
(In reply to comment #2)
> I'm happy to describe some of them to you privately if you'd like.

Yes, please! :)

Note that I'm not opposed to this proposal (as it's trivial to implement). But I just want to understand what are the security implications you are talking about. I doubt that most websites around the world pass this response, and they are still working fine.
Comment 4 Max Kanat-Alexander 2011-07-21 14:03:07 PDT
(In reply to comment #3)
> (In reply to comment #2)
> > I'm happy to describe some of them to you privately if you'd like.
> 
> Yes, please! :)

  Okay. Grab me on IRC.

> I doubt that most websites around the world pass this
> response, and they are still working fine.

  Actually, quite a few are starting to, now that Safari, IE 8, and IE 9 are becoming more popular. Also, I would say that "most websites around the world" have a poor security posture. :-)
Comment 5 Matt Selsky [:selsky] 2012-05-27 23:28:33 PDT
Created attachment 627623 [details] [diff] [review]
Add header to all responses, v1
Comment 6 Reed Loden [:reed] (use needinfo?) 2012-05-27 23:42:12 PDT
yep, we should do this... +1 from me.
Comment 7 Frédéric Buclin 2012-05-29 08:00:20 PDT
Comment on attachment 627623 [details] [diff] [review]
Add header to all responses, v1

r=LpSolit
Comment 8 Frédéric Buclin 2012-05-29 08:02:39 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8249.
Comment 9 Reed Loden [:reed] (use needinfo?) 2012-09-09 11:00:24 PDT
Requesting approval to land this on 4.2 as well in order to better prevent some IE-specific XSS issues.
Comment 10 Reed Loden [:reed] (use needinfo?) 2012-09-09 11:07:14 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8136.
Comment 11 Frédéric Buclin 2012-11-01 11:27:11 PDT
Added to relnotes for 4.4 and 4.2.4.

Note You need to log in before you can comment on or make changes to this bug.