You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Dennis Kieselhorst (JIRA)" <de...@myfaces.apache.org> on 2014/05/16 13:19:52 UTC
[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to
nosniff
[ https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13999690#comment-13999690 ]
Dennis Kieselhorst commented on TOBAGO-1395:
--------------------------------------------
Attached a patch for it, header is set by default and can be deactivated using the create-content-type-options-nosniff-header flag in the tobago-config.xml.
> Set Content Type Options header to nosniff
> ------------------------------------------
>
> Key: TOBAGO-1395
> URL: https://issues.apache.org/jira/browse/TOBAGO-1395
> Project: MyFaces Tobago
> Issue Type: New Feature
> Components: Core
> Affects Versions: 2.0.0-beta-3
> Reporter: Dennis Kieselhorst
> Priority: Minor
> Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1
>
> Attachments: TOBAGO-1395.patch
>
>
> Content sniffing allows malicious users to use polyglots (a file that is valid as multiple content types). This can be used to execute XSS attacks.
> The X-Content-Type-Options should be set to nosniff by default to avoid this.
--
This message was sent by Atlassian JIRA
(v6.2#6252)