Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Also, consider adding "Content-disposition: attachment" for uploaded files.
Comments
Comment #1
pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commentedPerhaps effort could be directed instead to getting this in 7 core? #462950: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type
Comment #2
Pere OrgaI agree
Comment #3
pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commentedComment #4
gregglesDrupal.org already has this header in http config, but it's only for pdf and won't work on any sites that use private files (e.g. security.drupal.org or association or maybe some others).
Comment #5
pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commentedWe should use it for all files. Locally, I see it protecting in cases where no content-type is sent by the browser
Comment #6
basic CreditAttribution: basic at Drupal Association commentedWould
break things like inline images if applied to all files?
Comment #7
gregglesI mostly agree, although there is a ux regression from using it for all files.
The other option is *only* serving files from a different domain - I'm pretty in favor of that idea.
Comment #8
drummNot being able to view patch/diff files in a browser would be a big regression.
Comment #9
basic CreditAttribution: basic at Drupal Association commentedI have the following diff for varnish, but won't push this change if it means there will be a huge regression:
Comment #10
basic CreditAttribution: basic at Drupal Association commentedI've added 'set beresp.http.X-Content-Type-Options = "nosniff";' in varnish, but kept the content-disposition header off for now. This is now live. It sounds like the next step will be setting up separate domain for user uploaded files, so I'll mark this fixed.
Comment #11
gregglesFor anyone following this and interested, the separate domain idea is in #1730180: serve all drupal.org media from a different domain.
Comment #12
pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commentedI don't see the header being added for all file downloads. Is varnish bypassed for some file extensions?
e.g. https://www.drupal.org/files/issues/foo3.test
Comment #13
pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commentedwww7.drupal.org is not setting the header, but other back-ends are
Comment #14
basic CreditAttribution: basic at Drupal Association commentedYep, that is strange. I'm checking to see why that would be and will force a reload of the active vcl... doing a vcl show it looks like the wrong varnish config was loaded, puppet likely didn't copy the change over.
I've reloaded the vcl on www7 so this should be resolved now.