Problem/Motivation

Follow-up from #462950: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

catch created an issue. See original summary.

catch’s picture

catch
he/him
Primary language English
commented
catch’s picture

catch
he/him
Primary language English
commented
Parent issue: » #462950: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type
roball’s picture

roball commented
Title: followup) Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type » (followup) Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type

My proposal was to remove the always condition from Apache's Header directive, ending up in

Header set X-Content-Type-Options nosniff

Otherwise, I get the response header line

X-Content-Type-Options: nosniff, nosniff

pwolanin’s picture

pwolanin commented

I never see the X-Content-Type-Options: nosniff, nosniff

The D8 core test would be failing if it was happening in the test scenario.

Are you getting that with a contrib module or just stock Drupal core?

neograph734’s picture

neograph734
he/him
Location Netherlands
commented

Closely reading the discussion in the other thread leads to #44, where is stated the seckit module implements function _seckit_x_content_type_options that adds this header to Drupal as well.

The goal of the module:

SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.

So since this is in core now, I believe it should be removed from seckit (as it no longer required) and this issue is done.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Active » Closed (duplicate)
Related issues: +#2854817: Duplicate X-Content-Type-Options headers both with the value nosniff

This only happens if you are using Apache with mod_headers installed.

More details at #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff. Marking this as a duplicate.