As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 671612 - Send "X-Content-Type-Options: nosniff" with every response
: Send "X-Content-Type-Options: nosniff" with every response
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: All All
: -- enhancement (vote)
: Bugzilla 4.2
Assigned To: Matt Selsky [:selsky]
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-14 11:19 PDT by Max Kanat-Alexander
Modified: 2012-11-01 11:27 PDT (History)
2 users (show)
LpSolit: approval+
LpSolit: approval4.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Add header to all responses, v1 (1.95 KB, patch)
2012-05-27 23:28 PDT, Matt Selsky [:selsky]
LpSolit: review+
Details | Diff | Splinter Review

Description User image Max Kanat-Alexander 2011-07-14 11:19:35 PDT
It just occurred to me that we should be sending "X-Content-Type-Options: nosniff" along with *every* response, not just with attachments. We specify a valid content-type always, on all our pages, and we never want IE or any browser sniffing.
Comment 1 User image Frédéric Buclin 2011-07-17 08:43:36 PDT
Why does it matter, outside attachments?
Comment 2 User image Max Kanat-Alexander 2011-07-19 15:52:23 PDT
(In reply to comment #1)
> Why does it matter, outside attachments?

  Who can say? Maybe some extension will want to use it, maybe we have some pages that might otherwise be sniffed. There are various valid security situations which could come up in the future where this would be useful on all our pages. (I'm happy to describe some of them to you privately if you'd like.)
Comment 3 User image Frédéric Buclin 2011-07-20 02:36:13 PDT
(In reply to comment #2)
> I'm happy to describe some of them to you privately if you'd like.

Yes, please! :)

Note that I'm not opposed to this proposal (as it's trivial to implement). But I just want to understand what are the security implications you are talking about. I doubt that most websites around the world pass this response, and they are still working fine.
Comment 4 User image Max Kanat-Alexander 2011-07-21 14:03:07 PDT
(In reply to comment #3)
> (In reply to comment #2)
> > I'm happy to describe some of them to you privately if you'd like.
> 
> Yes, please! :)

  Okay. Grab me on IRC.

> I doubt that most websites around the world pass this
> response, and they are still working fine.

  Actually, quite a few are starting to, now that Safari, IE 8, and IE 9 are becoming more popular. Also, I would say that "most websites around the world" have a poor security posture. :-)
Comment 5 User image Matt Selsky [:selsky] 2012-05-27 23:28:33 PDT
Created attachment 627623 [details] [diff] [review]
Add header to all responses, v1
Comment 6 User image Reed Loden [:reed] (use needinfo?) 2012-05-27 23:42:12 PDT
yep, we should do this... +1 from me.
Comment 7 User image Frédéric Buclin 2012-05-29 08:00:20 PDT
Comment on attachment 627623 [details] [diff] [review]
Add header to all responses, v1

r=LpSolit
Comment 8 User image Frédéric Buclin 2012-05-29 08:02:39 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8249.
Comment 9 User image Reed Loden [:reed] (use needinfo?) 2012-09-09 11:00:24 PDT
Requesting approval to land this on 4.2 as well in order to better prevent some IE-specific XSS issues.
Comment 10 User image Reed Loden [:reed] (use needinfo?) 2012-09-09 11:07:14 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
modified Bugzilla/CGI.pm
modified Bugzilla/Attachment/PatchReader.pm
Committed revision 8136.
Comment 11 User image Frédéric Buclin 2012-11-01 11:27:11 PDT
Added to relnotes for 4.4 and 4.2.4.

Note You need to log in before you can comment on or make changes to this bug.