Support X-Content-Type-Options: nosniff for IE 8
Closed, ResolvedPublic


IE 8 adds the ability to opt-out of content type sniffing, a traditional security vulnerability^H^H^Hfeature in that browser.

As of beta 2 this can be done by sending:

X-Content-Type-Options: nosniff

This might be wise to send with all MediaWiki output as another layer against type-aliasing sorts of attacks (eg serving raw page text that gets sniffed as HTML).

Unfortunately we can't have MediaWiki add this to uploaded files served from the regular web server; that would be a nice trick. :) But we could put it on there for img_auth.php, thumb.php, etc.

The header should be ignored by other (better-behaving) browsers.

Version: unspecified
Severity: enhancement

bzimport set Reference to bz15461.
brion created this task.Via LegacySep 3 2008, 7:37 PM
demon added a comment.Via ConduitDec 18 2008, 5:42 PM

Created attachment 5592
Add header to StreamFile

Both img_auth and thumb use StreamFile, so I added the header for 'X-Content-Type-Options: nosniff' to wfStreamFile(). Does this cover it, or is there more to this?

attachment SF.patch ignored as obsolete

demon added a comment.Via ConduitDec 18 2008, 5:45 PM

Created attachment 5593

Wrong line, oops.

Attached: SF.patch

brion added a comment.Via ConduitDec 18 2008, 6:08 PM

Probably worth putting this on action=raw output, and maybe just on everything for good measure... :)

demon added a comment.Via ConduitSep 21 2010, 12:14 PM

Unassigning from myself. Good candidate for bugsmash in October.

brion added a comment.Via ConduitMay 13 2011, 12:53 PM

This'll also need to be added for RawPage at a minimum; wouldn't hurt to add it to regular OutputPage etc as well.

brion added a comment.Via ConduitMay 13 2011, 3:44 PM

Adding a bajillion of these everywhere we do a Content-Type header is very uggy... creating a wrapper function to add X-Content-Type-Options whenever we do a Content-Type would still mean changing all those and reminding people to use it in future.

Might actually be best to just stick it once in WebStart.php -- it'll always be set! :P

brion added a comment.Via ConduitMay 13 2011, 3:53 PM

Done on trunk in r87997.

Needs testing to confirm that it does in fact protect on IE8 and IE9 of course. :D

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.