Closed
Bug 998397
Opened 12 years ago
Closed 10 years ago
X-Content-Type-Options header missing
Categories
(Marketplace Graveyard :: General, defect, P5)
Tracking
(Not tracked)
VERIFIED
FIXED
2015-09-01
People
(Reporter: karthic.6030, Assigned: lucky.lavish, Mentored)
Details
(Whiteboard: [good first bug][lang=py])
Attachments
(3 files)
|
137.25 KB,
image/png
|
Details | |
|
1.57 KB,
patch
|
Details | Diff | Splinter Review | |
|
2.03 KB,
patch
|
Details | Diff | Splinter Review |
X-Content-Type-Options header missing in marketplace.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Steps to reproduce:
URL : https://marketplace.firefox.com/
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'
Actual results:
X CONTENT TYPE OPTIONS HEADER MISSING
Expected results:
This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown
|
||
Comment 1•12 years ago
|
||
Raymond - this has come up before. Is this something we should add?
|
Reporter | |
Comment 2•12 years ago
|
||
ya you should add x content type options header set to nosniff in configuration to prevent content sniffing
|
||
Updated•12 years ago
|
Flags: needinfo?(rforbes)
Priority: -- → P5
|
|
Reporter | |
Comment 3•12 years ago
|
||
need to set in the configuration to prevent content sniffing
|
||
Comment 4•12 years ago
|
||
this is a pretty minor need, I would classify it as a "best practice".
i am pretty sure firefox doesn't even support this header at this time.
https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Flags: needinfo?(rforbes)
|
|
||
Updated•11 years ago
|
Whiteboard: [good first bug]
|
||
Comment 5•10 years ago
|
||
Hi Andy, it looks like this might not be very much clear to the newbie how to fix this. Can you put some information here for newbies so that they can pick this bug and fix it.
Thanks,
Ram
Flags: needinfo?(amckay)
|
|
||
Comment 6•10 years ago
|
||
Adding in HTTP Headers is likely a matter of altering the middleware in Django insert the header as mentioned. Here's a module that works with HTTP headers:
https://github.com/mozilla/zamboni/blob/master/mkt/site/middleware.py
Here is documentation on middleware:
https://docs.djangoproject.com/en/1.8/topics/http/middleware/
Flags: needinfo?(amckay)
|
|
||
Comment 8•10 years ago
|
||
Sure purva, assigning you to this bug. For any doubt, feel free to ask here or on #marketplace on irc.mozilla.org
Assignee: nobody → arushgyl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
||
Updated•10 years ago
|
Assignee: arushgyl → purva.bansal
Hi Andy, Can you please elaborate on what do you want to convey through altering middleware?
|
|
||
Updated•10 years ago
|
Mentor: mathieu
|
||
Updated•10 years ago
|
Mentor: mathieu → mpillard
|
||
Comment 11•10 years ago
|
||
You need to know python/Django for this one, and need to have set up Marketplace backend.
You need to modify one of the middleware classes we use or create one and add it to our settings (mkt/settings.py, MIDDLEWARE_CLASSES) to add this functionality. Andy gave a link to some middlewares we are already using that also deal with HTTP headers, as an example you can draw inspiration from.
Alternatively, instead of doing all this, you could add a dependency to http://django-secure.readthedocs.org/en/latest/index.html by adding django-secure to requirements/prod.txt, and following django-secure docs to install it. Then follow the same docs to enable/disable what we care about (for this bug, I'd disable everything except SECURE_CONTENT_TYPE_NOSNIFF, we can take care of the other settings in a different bug).
Flags: needinfo?(mpillard)
Whiteboard: [good first bug] → [good first bug][lang=py]
|
Assignee | |
Comment 12•10 years ago
|
||
Purva are you still working on this bug?
Flags: needinfo?(purva.bansal)
|
|
||
Comment 13•10 years ago
|
||
No, I am pretty much stucked in this problem.
Flags: needinfo?(purva.bansal)
|
|
Assignee | |
Comment 14•10 years ago
|
||
Purva, Can I work on this bug? If you are not working on it?
Flags: needinfo?(purva.bansal)
|
|
Assignee | |
Comment 17•10 years ago
|
||
Hi [:mat]
Would it be okay to add a process_response method to the (/mkt/site/middleware.py, CommonMiddleware) to implement this functionality.
Flags: needinfo?(mpillard)
|
|
||
Comment 18•10 years ago
|
||
Actually I'd prefer you add django-secure middleware, this is the better option for the future since django-secure is integrated in django 1.8.
Flags: needinfo?(mpillard)
|
|
Assignee | |
Comment 19•10 years ago
|
||
Please verify PR : https://github.com/mozilla/zamboni/pull/3295
Flags: needinfo?(mpillard)
|
|
||
Comment 20•10 years ago
|
||
Fixed by Lavish in https://github.com/mozilla/zamboni/commit/6c2a93435e9e034e2325e98c4b2b732e8c5cdfc8
Thanks!
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mpillard)
Resolution: --- → FIXED
Target Milestone: --- → 2015-09-01
|
|
Assignee | |
Comment 21•10 years ago
|
||
|
|
Reporter | |
Comment 22•10 years ago
|
||
any bounty or swag for this bug
|
||
Comment 23•10 years ago
|
||
Verified as fixed : http://screencast.com/t/4HuFUQrcXky
Status: RESOLVED → VERIFIED
|
|
||
Comment 24•10 years ago
|
||
(In reply to karthic kumar from comment #22)
> any bounty or swag for this bug
Hi Karthic,
The bounty is for Security bugs only (more info - https://www.mozilla.org/en-US/security/bug-bounty/). I am not sure how much you know about our contribution opportunities with Mozilla (or if you are already a volunteer), By the way, you can read about them at https://www.mozilla.org/en-US/contribute/ & you are most welcome to join volunteers (a lot of swags are waiting you there).
You can contact me or any of existing contributors if required. Find more mozillians at -
https://mozillians.org/
https://reps.mozilla.org/
Thanks,
Ram
You need to log in
before you can comment on or make changes to this bug.
Description
•