diff options
| -rw-r--r-- | Bugzilla/Attachment/PatchReader.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/CGI.pm | 4 | ||||
| -rwxr-xr-x | attachment.cgi | 3 |
3 files changed, 5 insertions, 4 deletions
diff --git a/Bugzilla/Attachment/PatchReader.pm b/Bugzilla/Attachment/PatchReader.pm index 01a624a8f..cfc7610f4 100644 --- a/Bugzilla/Attachment/PatchReader.pm +++ b/Bugzilla/Attachment/PatchReader.pm @@ -37,7 +37,6 @@ sub process_diff { $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw()); # Actually print out the patch. print $cgi->header(-type => 'text/plain', - -x_content_type_options => "nosniff", -expires => '+3M'); disable_utf8(); $reader->iterate_string('Attachment ' . $attachment->id, $attachment->data); @@ -119,7 +118,6 @@ sub process_interdiff { $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw()); # Actually print out the patch. print $cgi->header(-type => 'text/plain', - -x_content_type_options => "nosniff", -expires => '+3M'); disable_utf8(); } diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 7135f7c48..a16ae6686 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -316,6 +316,10 @@ sub header { unshift(@_, '-x_frame_options' => 'SAMEORIGIN'); } + # Add X-Content-Type-Options header to prevent browsers sniffing + # the MIME type away from the declared Content-Type. + unshift(@_, '-x_content_type_options' => 'nosniff'); + return $self->SUPER::header(@_) || ""; } diff --git a/attachment.cgi b/attachment.cgi index 04bad37b3..64f78dc36 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -408,8 +408,7 @@ sub view { } print $cgi->header(-type=>"$contenttype; name=\"$filename\"", -content_disposition=> "$disposition; filename=\"$filename\"", - -content_length => $attachment->datasize, - -x_content_type_options => "nosniff"); + -content_length => $attachment->datasize); disable_utf8(); print $attachment->data; } |