User "Brion VIBBER" posted a comment on MediaWiki.r87997. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/87997#c17689 Commit summary:
* (bug 15461) Make IE8 turn off content sniffing. Everbody else should ignore this Adding X-Content-Type-Options: nosniff header in WebStart.php so that it's *always* set, even for alternate entry points and when $wgOut gets disabled or overridden. Note that this of course doesn't apply to uploaded images and such loaded directly -- the usual caveats still apply. Have not tested to confirm that this actually protects against sniffing errors -- please test on IE8 and IE9. Comment: As a regression test, I suppose would need: # some sample dangerous files (as would get sent out via wfStreamFile through img_auth.php) and raw page contents (as via ?action=raw) # selenium...? or qunit...? -based tests that use a live wiki to upload the files/add the pages, then load them back, and confirm that an exploit code does *not* run with access to the local session # ... uhhh... maybe some way to disable all our other checks so those things can actually get turned on in the first place ;) A confirm-that-this-thing-works-in-general test could probably be done in the qunit tests, but could need a .php file or something to serve out the data. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
