Page MenuHomePhabricator
Create Task
Maniphest T17461

Support X-Content-Type-Options: nosniff for IE 8
Closed, ResolvedPublic
Actions

Description

IE 8 adds the ability to opt-out of content type sniffing, a traditional security vulnerability^H^H^Hfeature in that browser.

As of beta 2 this can be done by sending:

X-Content-Type-Options: nosniff

This might be wise to send with all MediaWiki output as another layer against type-aliasing sorts of attacks (eg serving raw page text that gets sniffed as HTML).

Unfortunately we can't have MediaWiki add this to uploaded files served from the regular web server; that would be a nice trick. :) But we could put it on there for img_auth.php, thumb.php, etc.

The header should be ignored by other (better-behaving) browsers.

Version: unspecified
Severity: enhancement
URL: http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

Details

Reference
bz15461

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:19 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz15461.
brion created this task.Sep 3 2008, 7:37 PM
demon added a comment.Dec 18 2008, 5:42 PM

Created attachment 5592
Add header to StreamFile

Both img_auth and thumb use StreamFile, so I added the header for 'X-Content-Type-Options: nosniff' to wfStreamFile(). Does this cover it, or is there more to this?

attachment SF.patch ignored as obsolete

demon added a comment.Dec 18 2008, 5:45 PM

Created attachment 5593
Fixed

Wrong line, oops.

Attached:

SF.patch470 BDownload

brion added a comment.Dec 18 2008, 6:08 PM

Probably worth putting this on action=raw output, and maybe just on everything for good measure... :)

demon added a comment.Sep 21 2010, 12:14 PM

Unassigning from myself. Good candidate for bugsmash in October.

brion added a comment.May 13 2011, 12:53 PM

This'll also need to be added for RawPage at a minimum; wouldn't hurt to add it to regular OutputPage etc as well.

brion added a comment.May 13 2011, 3:44 PM

Adding a bajillion of these everywhere we do a Content-Type header is very uggy... creating a wrapper function to add X-Content-Type-Options whenever we do a Content-Type would still mean changing all those and reminding people to use it in future.

Might actually be best to just stick it once in WebStart.php -- it'll always be set! :P

brion added a comment.May 13 2011, 3:53 PM

Done on trunk in r87997.

Needs testing to confirm that it does in fact protect on IE8 and IE9 of course. :D

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL