Last modified: 2013-04-08 11:02:13 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T17461, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 15461 - Support X-Content-Type-Options: nosniff for IE 8
Support X-Content-Type-Options: nosniff for IE 8
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Low enhancement (vote)
: ---
Assigned To: Brion Vibber
http://blogs.msdn.com/ie/archive/2008...
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-03 19:37 UTC by Brion Vibber
Modified: 2013-04-08 11:02 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add header to StreamFile (573 bytes, patch)
2008-12-18 17:42 UTC, Chad H. 		Details
Fixed (470 bytes, patch)
2008-12-18 17:45 UTC, Chad H. 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2008-09-03 19:37:32 UTC 
IE 8 adds the ability to opt-out of content type sniffing, a traditional security vulnerability^H^H^Hfeature in that browser.

As of beta 2 this can be done by sending:

X-Content-Type-Options: nosniff


This might be wise to send with all MediaWiki output as another layer against type-aliasing sorts of attacks (eg serving raw page text that gets sniffed as HTML).

Unfortunately we can't have MediaWiki add this to uploaded files served from the regular web server; that would be a nice trick. :) But we could put it on there for img_auth.php, thumb.php, etc.

The header should be ignored by other (better-behaving) browsers.
Comment 1 Chad H. 2008-12-18 17:42:42 UTC 
Created attachment 5592 [details]
Add header to StreamFile

Both img_auth and thumb use StreamFile, so I added the header for 'X-Content-Type-Options: nosniff' to wfStreamFile(). Does this cover it, or is there more to this?
Comment 2 Chad H. 2008-12-18 17:45:02 UTC 
Created attachment 5593 [details]
Fixed

Wrong line, oops.
Comment 3 Brion Vibber 2008-12-18 18:08:17 UTC 
Probably worth putting this on action=raw output, and maybe just on everything for good measure... :)
Comment 4 Chad H. 2010-09-21 12:14:39 UTC 
Unassigning from myself. Good candidate for bugsmash in October.
Comment 5 Brion Vibber 2011-05-13 12:53:46 UTC 
This'll also need to be added for RawPage at a minimum; wouldn't hurt to add it to regular OutputPage etc as well.
Comment 6 Brion Vibber 2011-05-13 15:44:38 UTC 
Adding a bajillion of these everywhere we do a Content-Type header is very uggy... creating a wrapper function to add X-Content-Type-Options whenever we do a Content-Type would still mean changing all those and reminding people to use it in future.

Might actually be best to just stick it once in WebStart.php -- it'll always be set! :P
Comment 7 Brion Vibber 2011-05-13 15:53:59 UTC 
Done on trunk in r87997.

Needs testing to confirm that it does in fact protect on IE8 and IE9 of course. :D
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links