Bug 671612: Send "X-Content-Type-Options: nosniff" with every response

author Matt Selsky <selsky@columbia.edu>

Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)

committer Reed Loden <reed@reedloden.com>

Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)
author Matt Selsky <selsky@columbia.edu>
Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)
committer Reed Loden <reed@reedloden.com>
Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)
diff --git a/Bugzilla/Attachment/PatchReader.pm b/Bugzilla/Attachment/PatchReader.pm

index 01a624a8fa3f41cc704a3b20ecd297deb96362b2..cfc7610f4029c5e4348081f812c2b3dc16abbfba 100644 (file)
--- a/Bugzilla/Attachment/PatchReader.pm
+++ b/Bugzilla/Attachment/PatchReader.pm
@@ -37,7 +37,6 @@ sub process_diff {
          $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
          # Actually print out the patch.
          print $cgi->header(-type => 'text/plain',
-                           -x_content_type_options => "nosniff",
                             -expires => '+3M');
          disable_utf8();
          $reader->iterate_string('Attachment ' . $attachment->id, $attachment->data);
@@ -119,7 +118,6 @@ sub process_interdiff {
          $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
          # Actually print out the patch.
          print $cgi->header(-type => 'text/plain',
-                           -x_content_type_options => "nosniff",
                             -expires => '+3M');
          disable_utf8();
      }
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 7135f7c48a56d16fa6ff9198788911b69a082b6d..a16ae6686573ccc288aebb6b5f949a977720174c 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -316,6 +316,10 @@ sub header {
          unshift(@_, '-x_frame_options' => 'SAMEORIGIN');
      }
  
+    # Add X-Content-Type-Options header to prevent browsers sniffing
+    # the MIME type away from the declared Content-Type.
+    unshift(@_, '-x_content_type_options' => 'nosniff');
+
      return $self->SUPER::header(@_) || "";
  }
  
diff --git a/attachment.cgi b/attachment.cgi

index 04bad37b3e3edf80bbd1194f72216788b5e89696..64f78dc36d41d5e1b279ebaa7854d3fc7cd13a4a 100755 (executable)
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -408,8 +408,7 @@ sub view {
      }
      print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
                         -content_disposition=> "$disposition; filename=\"$filename\"",
-                       -content_length => $attachment->datasize,
-                       -x_content_type_options => "nosniff");
+                       -content_length => $attachment->datasize);
      disable_utf8();
      print $attachment->data;
  }
author	Matt Selsky <selsky@columbia.edu>
	Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)
committer	Reed Loden <reed@reedloden.com>
	Sun, 9 Sep 2012 18:06:39 +0000 (11:06 -0700)
Bugzilla/Attachment/PatchReader.pm		patch \| blob \| blame \| history
Bugzilla/CGI.pm		patch \| blob \| blame \| history
attachment.cgi		patch \| blob \| blame \| history