Support X-Content-Type-Options: nosniff for IE 8
Closed, ResolvedPublic


IE 8 adds the ability to opt-out of content type sniffing, a traditional security vulnerability^H^H^Hfeature in that browser.

As of beta 2 this can be done by sending:

X-Content-Type-Options: nosniff

This might be wise to send with all MediaWiki output as another layer against type-aliasing sorts of attacks (eg serving raw page text that gets sniffed as HTML).

Unfortunately we can't have MediaWiki add this to uploaded files served from the regular web server; that would be a nice trick. :) But we could put it on there for img_auth.php, thumb.php, etc.

The header should be ignored by other (better-behaving) browsers.

Version: unspecified
Severity: enhancement

bzimport set Reference to bz15461.
brion created this task.Via LegacySep 3 2008, 7:37 PM
demon added a comment.Via ConduitDec 18 2008, 5:42 PM

Created attachment 5592
Add header to StreamFile

Both img_auth and thumb use StreamFile, so I added the header for 'X-Content-Type-Options: nosniff' to wfStreamFile(). Does this cover it, or is there more to this?

attachment SF.patch ignored as obsolete

demon added a comment.Via ConduitDec 18 2008, 5:45 PM

Created attachment 5593

Wrong line, oops.

Attached: SF.patch

brion added a comment.Via ConduitDec 18 2008, 6:08 PM

Probably worth putting this on action=raw output, and maybe just on everything for good measure... :)

demon added a comment.Via ConduitSep 21 2010, 12:14 PM

Unassigning from myself. Good candidate for bugsmash in October.

brion added a comment.Via ConduitMay 13 2011, 12:53 PM

This'll also need to be added for RawPage at a minimum; wouldn't hurt to add it to regular OutputPage etc as well.

brion added a comment.Via ConduitMay 13 2011, 3:44 PM

Adding a bajillion of these everywhere we do a Content-Type header is very uggy... creating a wrapper function to add X-Content-Type-Options whenever we do a Content-Type would still mean changing all those and reminding people to use it in future.

Might actually be best to just stick it once in WebStart.php -- it'll always be set! :P

brion added a comment.Via ConduitMay 13 2011, 3:53 PM

Done on trunk in r87997.

Needs testing to confirm that it does in fact protect on IE8 and IE9 of course. :D

Add Comment