Bug 671612: Send "X-Content-Type-Options: nosniff" with every response

author Matt Selsky <selsky@columbia.edu>

Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)

committer Frédéric Buclin <LpSolit@gmail.com>

Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)
author Matt Selsky <selsky@columbia.edu>
Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)
committer Frédéric Buclin <LpSolit@gmail.com>
Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)
diff --git a/Bugzilla/Attachment/PatchReader.pm b/Bugzilla/Attachment/PatchReader.pm

index c79b96ed2f79fbd940d86d803f0f33b2a7a18a71..e9cb189efaacfaf4c8672d13daaa7c4e997bf866 100644 (file)
--- a/Bugzilla/Attachment/PatchReader.pm
+++ b/Bugzilla/Attachment/PatchReader.pm
@@ -27,7 +27,6 @@ sub process_diff {
          $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
          # Actually print out the patch.
          print $cgi->header(-type => 'text/plain',
-                           -x_content_type_options => "nosniff",
                             -expires => '+3M');
          disable_utf8();
          $reader->iterate_string('Attachment ' . $attachment->id, $attachment->data);
@@ -109,7 +108,6 @@ sub process_interdiff {
          $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
          # Actually print out the patch.
          print $cgi->header(-type => 'text/plain',
-                           -x_content_type_options => "nosniff",
                             -expires => '+3M');
          disable_utf8();
      }
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 98fa3d79bfb23b094c0e42f2c594002bb0cc966d..fc29008c3275f5b9e254fbd601891383367dbf26 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -317,6 +317,10 @@ sub header {
      # and enforce the blocking (rather than the rewriting) mode.
      unshift(@_, '-x_xss_protection' => '1; mode=block');
  
+    # Add X-Content-Type-Options header to prevent browsers sniffing
+    # the MIME type away from the declared Content-Type.
+    unshift(@_, '-x_content_type_options' => 'nosniff');
+
      return $self->SUPER::header(@_) || "";
  }
  
diff --git a/attachment.cgi b/attachment.cgi

index 2bc6e54544fa60efcdbae490570a96177e119c6a..92f48d05d52f94deea017a96f14915f620b5d5fa 100755 (executable)
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -385,8 +385,7 @@ sub view {
      }
      print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
                         -content_disposition=> "$disposition; filename=\"$filename\"",
-                       -content_length => $attachment->datasize,
-                       -x_content_type_options => "nosniff");
+                       -content_length => $attachment->datasize);
      disable_utf8();
      print $attachment->data;
  }
author	Matt Selsky <selsky@columbia.edu>
	Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Tue, 29 May 2012 15:01:42 +0000 (17:01 +0200)
Bugzilla/Attachment/PatchReader.pm		patch \| blob \| blame \| history
Bugzilla/CGI.pm		patch \| blob \| blame \| history
attachment.cgi		patch \| blob \| blame \| history