Libravatar (obsolete)

Disable MIME-type sniffing on everything we serve

Bug #1356347 reported by François Marier
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Confirmed
Medium
Unassigned

Bug Description

MIME-type sniffing on IE can lead to unexpected code execution. It can be disabled using an extra header:

  X-Content-Type-Options: nosniff

It should be added to all avatar-serving responses that aren't redirections, but it could also be sent through with other dynamic and static content.

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

See original description
François Marier (fmarier)
description: updated
Revision history for this message
François Marier (fmarier) wrote :

There's a new option for this in Django 1.8:

  https://docs.djangoproject.com/en/1.9/ref/settings/#secure-content-type-nosniff

tags: added: stretch
Revision history for this message
François Marier (fmarier) wrote :

It's possible that this option could prevent PNG/JPG/GIF files from being rendered correctly.

This should be tested carefully before enabling it on the mirrors.

Revision history for this message
François Marier (fmarier) wrote :

Bug 1252037 needs to be addressed before we can do this.

Changed in libravatar:
assignee: François Marier (fmarier) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.