Disable MIME-type sniffing on everything we serve
Bug #1356347 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
MIME-type sniffing on IE can lead to unexpected code execution. It can be disabled using an extra header:
X-Content-
It should be added to all avatar-serving responses that aren't redirections, but it could also be sent through with other dynamic and static content.
http://
description: | updated |
To post a comment you must log in.
There's a new option for this in Django 1.8:
https:/ /docs.djangopro ject.com/ en/1.9/ ref/settings/ #secure- content- type-nosniff