[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff

2014-05-20 Thread Hudson (JIRA)

[ 
https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14003433#comment-14003433
 ] 

Hudson commented on TOBAGO-1395:


SUCCESS: Integrated in tobago-trunk #1179 (See 
[https://builds.apache.org/job/tobago-trunk/1179/])
TOBAGO-1395: Set Content Type Options header to nosniff
- patch applied
- doing some enhancements (lofwyr: 
http://svn.apache.org/viewvc/?view=rev&rev=1595204)
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/ajax/AjaxUtils.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/ajax/AjaxResponseRenderer.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/servlet/ResourceServlet.java
* 
/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
* 
/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java
* /myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml
* 
/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml
* 
/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/PageRenderer.java


> Set Content Type Options header to nosniff
> --
>
> Key: TOBAGO-1395
> URL: https://issues.apache.org/jira/browse/TOBAGO-1395
> Project: MyFaces Tobago
>  Issue Type: New Feature
>  Components: Core
>Affects Versions: 2.0.0-beta-3
>Reporter: Dennis Kieselhorst
>Priority: Minor
> Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1
>
> Attachments: TOBAGO-1395.patch
>
>
> Content sniffing allows malicious users to use polyglots (a file that is 
> valid as multiple content types). This can be used to execute XSS attacks.
> The X-Content-Type-Options should be set to nosniff by default to avoid this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)


[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff

2014-05-16 Thread Dennis Kieselhorst (JIRA)

[ 
https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13999690#comment-13999690
 ] 

Dennis Kieselhorst commented on TOBAGO-1395:


Attached a patch for it, header is set by default and can be deactivated using 
the create-content-type-options-nosniff-header flag in the tobago-config.xml.

> Set Content Type Options header to nosniff
> --
>
> Key: TOBAGO-1395
> URL: https://issues.apache.org/jira/browse/TOBAGO-1395
> Project: MyFaces Tobago
>  Issue Type: New Feature
>  Components: Core
>Affects Versions: 2.0.0-beta-3
>Reporter: Dennis Kieselhorst
>Priority: Minor
> Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1
>
> Attachments: TOBAGO-1395.patch
>
>
> Content sniffing allows malicious users to use polyglots (a file that is 
> valid as multiple content types). This can be used to execute XSS attacks.
> The X-Content-Type-Options should be set to nosniff by default to avoid this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)