You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Dennis Kieselhorst (JIRA)" <de...@myfaces.apache.org> on 2014/05/16 13:19:52 UTC

[jira] [Commented] (TOBAGO-1395) Set Content Type Options header to nosniff

    [ https://issues.apache.org/jira/browse/TOBAGO-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13999690#comment-13999690 ] 

Dennis Kieselhorst commented on TOBAGO-1395:
--------------------------------------------

Attached a patch for it, header is set by default and can be deactivated using the create-content-type-options-nosniff-header flag in the tobago-config.xml.

> Set Content Type Options header to nosniff
> ------------------------------------------
>
>                 Key: TOBAGO-1395
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1395
>             Project: MyFaces Tobago
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 2.0.0-beta-3
>            Reporter: Dennis Kieselhorst
>            Priority: Minor
>             Fix For: 2.0.0-beta-4, 2.0.0, 3.0.0-alpha-1
>
>         Attachments: TOBAGO-1395.patch
>
>
> Content sniffing allows malicious users to use polyglots (a file that is valid as multiple content types). This can be used to execute XSS attacks.
> The X-Content-Type-Options should be set to nosniff by default to avoid this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)