Send "X-Content-Type-Options: nosniff" with every response

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Bugzilla-General
--
enhancement
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Max Kanat-Alexander, Assigned: selsky)

Tracking

unspecified
Bugzilla 4.2
Bug Flags:
approval +
approval4.2 +

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It just occurred to me that we should be sending "X-Content-Type-Options: nosniff" along with *every* response, not just with attachments. We specify a valid content-type always, on all our pages, and we never want IE or any browser sniffing.

Comment 1

6 years ago
Why does it matter, outside attachments?
(Reporter)

Comment 2

6 years ago
(In reply to comment #1)
> Why does it matter, outside attachments?

  Who can say? Maybe some extension will want to use it, maybe we have some pages that might otherwise be sniffed. There are various valid security situations which could come up in the future where this would be useful on all our pages. (I'm happy to describe some of them to you privately if you'd like.)

Comment 3

6 years ago
(In reply to comment #2)
> I'm happy to describe some of them to you privately if you'd like.

Yes, please! :)

Note that I'm not opposed to this proposal (as it's trivial to implement). But I just want to understand what are the security implications you are talking about. I doubt that most websites around the world pass this response, and they are still working fine.
(Reporter)

Comment 4

6 years ago
(In reply to comment #3)
> (In reply to comment #2)
> > I'm happy to describe some of them to you privately if you'd like.
> 
> Yes, please! :)

  Okay. Grab me on IRC.

> I doubt that most websites around the world pass this
> response, and they are still working fine.

  Actually, quite a few are starting to, now that Safari, IE 8, and IE 9 are becoming more popular. Also, I would say that "most websites around the world" have a poor security posture. :-)

Updated

5 years ago
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
(Assignee)

Comment 5

5 years ago
Created attachment 627623 [details] [diff] [review]
Add header to all responses, v1
Assignee: general → selsky
Status: NEW → ASSIGNED
Attachment #627623 - Flags: review?(LpSolit)
yep, we should do this... +1 from me.

Comment 7

5 years ago
Comment on attachment 627623 [details] [diff] [review]
Add header to all responses, v1

r=LpSolit
Attachment #627623 - Flags: review?(LpSolit) → review+

Updated

5 years ago
Flags: approval+

Comment 8

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8249.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Requesting approval to land this on 4.2 as well in order to better prevent some IE-specific XSS issues.
Status: RESOLVED → REOPENED
Flags: approval4.2?
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.2

Updated

5 years ago
Flags: approval4.2? → approval4.2+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8136.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED

Comment 11

5 years ago
Added to relnotes for 4.4 and 4.2.4.
You need to log in before you can comment on or make changes to this bug.