In Drupal 8, core now sets the X-CONTENT-TYPE-OPTIONS. This will always override our setting in seckit config. We can do 1 of two things. Remove this setting and allow core to always set it, or we can override core if this is not enabled, as we do with the x-frame options in #2661644: Integrate with Drupal core clickjacking defense.

For now, in order to address #2764863: Fix tests I am going to comment out the test. If it is determined we need to override core, we can fix the code, then add this test back. If we remove it, we can remove the test all together.

CommentFileSizeAuthor
#4 2774927-x-content-type-options-header-4.patch4.86 KBkmoll

Comments

kmoll created an issue. See original summary.

kmoll’s picture

kmoll commented
Assigned: Unassigned » kmoll
kmoll’s picture

kmoll commented

I am going to implement this so that if it is disabled, we remove the header set by core to match the X-Frame header. But due to the fact that it closes a security concern, I think we default to it being on, and in the description we say that it is highly recommended to leave that option on.

kmoll’s picture

kmoll commented
StatusFileSize
new 2774927-x-content-type-options-header-4.patch4.86 KB

create a patch for it.

kmoll’s picture

kmoll commented
Status: Active » Needs review
jribeiro’s picture

jribeiro commented
Status: Needs review » Reviewed & tested by the community

+1 RTBC

naveenvalecha’s picture

naveenvalecha
He/Him
commented 
+++ b/src/Tests/SecKitTestCaseTest.php
@@ -216,15 +216,15 @@ class SecKitTestCaseTest extends WebTestBase {
+    $form['seckit_xss[x_content_type][checkbox]'] = FALSE;

Add the test for when it will be true as well.

RTBC +1

  • badjava committed 1532426 on 8.x-1.x authored by kmoll 
    Issue #2774927 by kmoll, jribeiro, naveenvalecha: Handle core x-content-...
naveenvalecha’s picture

naveenvalecha
He/Him
commented
Status: Reviewed & tested by the community » Fixed

Thanks!

badjava’s picture

badjava commented
Assigned: kmoll » Unassigned

Committed, thank you everyone!

@naveenvalecha The test for when it is true is there and passing.

  /**
   * Tests enabled X-Content-Type-Options HTTP response header.
   */
  public function testEnabledXContentTypeOptions() {
    $form['seckit_xss[x_content_type][checkbox]'] = TRUE;
    $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
    $this->assertEqual('nosniff', $this->drupalGetHeader('X-Content-Type-Options'),
      t('X-Content-Type-Options is enabled and set to nosniff.'));
  }
naveenvalecha’s picture

naveenvalecha
He/Him
commented

cool then

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.