[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff

Dennis Kieselhorst (JIRA) Fri, 16 May 2014 18:14:16 -0700

    [ 
https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13999690#comment-13999690
 ]


Dennis Kieselhorst commented on TOBAGO-1395:
--------------------------------------------

Attached a patch for it, header is set by default and can be deactivated using 
the create-content-type-options-nosniff-header flag in the tobago-config.xml.

> Set Content Type Options header to nosniff
> ------------------------------------------
>
>                 Key: TOBAGO-1395
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1395
>             Project: MyFaces Tobago
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 2.0.0-beta-3
>            Reporter: Dennis Kieselhorst
>            Priority: Minor
>             Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1
>
>         Attachments: TOBAGO-1395.patch
>
>
> Content sniffing allows malicious users to use polyglots (a file that is 
> valid as multiple content types). This can be used to execute XSS attacks.
> The X-Content-Type-Options should be set to nosniff by default to avoid this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff

Reply via email to