[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff
[ https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14003433#comment-14003433 ] Hudson commented on TOBAGO-1395: SUCCESS: Integrated in tobago-trunk #1179 (See [https://builds.apache.org/job/tobago-trunk/1179/]) TOBAGO-1395: Set Content Type Options header to nosniff - patch applied - doing some enhancements (lofwyr: http://svn.apache.org/viewvc/?view=rev&rev=1595204) * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/ajax/AjaxUtils.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/ajax/AjaxResponseRenderer.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java * /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/servlet/ResourceServlet.java * /myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd * /myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java * /myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml * /myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml * /myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/PageRenderer.java > Set Content Type Options header to nosniff > -- > > Key: TOBAGO-1395 > URL: https://issues.apache.org/jira/browse/TOBAGO-1395 > Project: MyFaces Tobago > Issue Type: New Feature > Components: Core >Affects Versions: 2.0.0-beta-3 >Reporter: Dennis Kieselhorst >Priority: Minor > Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1 > > Attachments: TOBAGO-1395.patch > > > Content sniffing allows malicious users to use polyglots (a file that is > valid as multiple content types). This can be used to execute XSS attacks. > The X-Content-Type-Options should be set to nosniff by default to avoid this. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff
[ https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13999690#comment-13999690 ] Dennis Kieselhorst commented on TOBAGO-1395: Attached a patch for it, header is set by default and can be deactivated using the create-content-type-options-nosniff-header flag in the tobago-config.xml. > Set Content Type Options header to nosniff > -- > > Key: TOBAGO-1395 > URL: https://issues.apache.org/jira/browse/TOBAGO-1395 > Project: MyFaces Tobago > Issue Type: New Feature > Components: Core >Affects Versions: 2.0.0-beta-3 >Reporter: Dennis Kieselhorst >Priority: Minor > Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1 > > Attachments: TOBAGO-1395.patch > > > Content sniffing allows malicious users to use polyglots (a file that is > valid as multiple content types). This can be used to execute XSS attacks. > The X-Content-Type-Options should be set to nosniff by default to avoid this. -- This message was sent by Atlassian JIRA (v6.2#6252)