summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Attachment/PatchReader.pm2
-rw-r--r--Bugzilla/CGI.pm4
-rwxr-xr-xattachment.cgi3
3 files changed, 5 insertions, 4 deletions
diff --git a/Bugzilla/Attachment/PatchReader.pm b/Bugzilla/Attachment/PatchReader.pm
index c79b96ed2..e9cb189ef 100644
--- a/Bugzilla/Attachment/PatchReader.pm
+++ b/Bugzilla/Attachment/PatchReader.pm
@@ -27,7 +27,6 @@ sub process_diff {
$last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
# Actually print out the patch.
print $cgi->header(-type => 'text/plain',
- -x_content_type_options => "nosniff",
-expires => '+3M');
disable_utf8();
$reader->iterate_string('Attachment ' . $attachment->id, $attachment->data);
@@ -109,7 +108,6 @@ sub process_interdiff {
$last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
# Actually print out the patch.
print $cgi->header(-type => 'text/plain',
- -x_content_type_options => "nosniff",
-expires => '+3M');
disable_utf8();
}
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 98fa3d79b..fc29008c3 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -317,6 +317,10 @@ sub header {
# and enforce the blocking (rather than the rewriting) mode.
unshift(@_, '-x_xss_protection' => '1; mode=block');
+ # Add X-Content-Type-Options header to prevent browsers sniffing
+ # the MIME type away from the declared Content-Type.
+ unshift(@_, '-x_content_type_options' => 'nosniff');
+
return $self->SUPER::header(@_) || "";
}
diff --git a/attachment.cgi b/attachment.cgi
index 2bc6e5454..92f48d05d 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -385,8 +385,7 @@ sub view {
}
print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
-content_disposition=> "$disposition; filename=\"$filename\"",
- -content_length => $attachment->datasize,
- -x_content_type_options => "nosniff");
+ -content_length => $attachment->datasize);
disable_utf8();
print $attachment->data;
}