From c9d188950508f104a8115ec7a78335607d9b6037 Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Sat, 3 Oct 2015 15:13:35 -0400 Subject: Issue #462950 by pwolanin, Pere Orga: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type --- .htaccess | 6 ++++++ CHANGELOG.txt | 2 ++ includes/bootstrap.inc | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.htaccess b/.htaccess index 7ccb6a2f6..151239c11 100644 --- a/.htaccess +++ b/.htaccess @@ -141,3 +141,9 @@ DirectoryIndex index.php index.html index.htm + +# Add headers to all responses. + + # Disable content sniffing, since it's an attack vector. + Header always set X-Content-Type-Options nosniff + diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 23b66697d..069595046 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,8 @@ Drupal 7.40, xxxx-xx-xx (development version) ----------------------- +- Set the X-Content-Type-Options header to "nosniff" when possible, to prevent + certain web browsers from picking an unsafe MIME type. - Prevented the database API from executing multiple queries at once on MySQL, if the site's PHP version is new enough to do so. This is a secondary defense against SQL injection attacks. diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index efddf006a..b2f2b042e 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1262,6 +1262,10 @@ function drupal_page_header() { $default_headers = array( 'Expires' => 'Sun, 19 Nov 1978 05:00:00 GMT', 'Cache-Control' => 'no-cache, must-revalidate, post-check=0, pre-check=0', + // Prevent browsers from sniffing a response and picking a MIME type + // different from the declared content-type, since that can lead to + // XSS and other vulnerabilities. + 'X-Content-Type-Options' => 'nosniff', ); drupal_send_headers($default_headers); } -- cgit v1.2.3