Issue 2551257: Make sure X-Content-Type-Options: nosniff header is set on @@file URL's. - Roundup tracker

classification

Title:	Make sure X-Content-Type-Options: nosniff header is set on @@file URL's.
Type:	security	Severity:	minor
Components:	Web interface	Versions:

process

Status:	fixed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	rouilj	Nosy List:	rouilj
Priority:	normal	Keywords:

Created on 2023-02-02 01:24 by rouilj, last changed 2023-02-23 21:23 by rouilj.

Messages
msg7711	Author: [hidden] (rouilj)	Date: 2023-02-02 01:24
Downloads using the @@file path (and arguably regular tracker/issue1 url's) should set the X-Content-Type-Options: nosniff header to prevent browsers from trying to determine the mime type on their own.
msg7731	Author: [hidden] (rouilj)	Date: 2023-02-23 21:23
Fixed on rev 765222ef4cec, Added only for user uploaded files (anything in FileClass served via SendFile exception. These are the ones that are likely to be a security issue.

History
Date	User	Action	Args
2023-02-23 21:23:49	rouilj	set	status: new -> fixed priority: normal resolution: fixed messages: + msg7731 assignee: rouilj
2023-02-02 01:24:41	rouilj	create