Libravatar (obsolete)

User images should be served with content sniffing disabled

Bug #1656184 reported by François Marier on 2017-01-13

This bug report is a duplicate of: Bug #1356347: Disable MIME-type sniffing on everything we serve. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Libravatar (obsolete)	Triaged	High	François Marier

Bug Description

Images uploaded by users should be served with "X-Content-Type-Options: nosniff" in order to disable any browser sniffing which could lead to a privilege escalation on chameleon content.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

In addition, the main service could expose this header on all responses too.

We'll need to ensure that images without an extension are correctly recognized as gif, jpg or png.

Revision history for this message

François Marier (fmarier) wrote on 2017-05-29:

Bug 1252037 needs to be addressed before we can do this.

François Marier (fmarier) on 2017-05-29

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1356347 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.