Last modified: 2013-04-08 11:02:13 UTC
IE 8 adds the ability to opt-out of content type sniffing, a traditional security vulnerability^H^H^Hfeature in that browser. As of beta 2 this can be done by sending: X-Content-Type-Options: nosniff This might be wise to send with all MediaWiki output as another layer against type-aliasing sorts of attacks (eg serving raw page text that gets sniffed as HTML). Unfortunately we can't have MediaWiki add this to uploaded files served from the regular web server; that would be a nice trick. :) But we could put it on there for img_auth.php, thumb.php, etc. The header should be ignored by other (better-behaving) browsers.
Created attachment 5592 [details] Add header to StreamFile Both img_auth and thumb use StreamFile, so I added the header for 'X-Content-Type-Options: nosniff' to wfStreamFile(). Does this cover it, or is there more to this?
Created attachment 5593 [details] Fixed Wrong line, oops.
Probably worth putting this on action=raw output, and maybe just on everything for good measure... :)
Unassigning from myself. Good candidate for bugsmash in October.
This'll also need to be added for RawPage at a minimum; wouldn't hurt to add it to regular OutputPage etc as well.
Adding a bajillion of these everywhere we do a Content-Type header is very uggy... creating a wrapper function to add X-Content-Type-Options whenever we do a Content-Type would still mean changing all those and reminding people to use it in future. Might actually be best to just stick it once in WebStart.php -- it'll always be set! :P
Done on trunk in r87997. Needs testing to confirm that it does in fact protect on IE8 and IE9 of course. :D