Disable MIME-type sniffing on everything we serve

Bug #1356347 reported by François Marier on 2014-08-13
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar
Medium
Unassigned

Bug Description

MIME-type sniffing on IE can lead to unexpected code execution. It can be disabled using an extra header:

  X-Content-Type-Options: nosniff

It should be added to all avatar-serving responses that aren't redirections, but it could also be sent through with other dynamic and static content.

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

description: updated
François Marier (fmarier) wrote :
tags: added: stretch
François Marier (fmarier) wrote :

It's possible that this option could prevent PNG/JPG/GIF files from being rendered correctly.

This should be tested carefully before enabling it on the mirrors.

François Marier (fmarier) wrote :

Bug 1252037 needs to be addressed before we can do this.

Changed in libravatar:
assignee: François Marier (fmarier) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers