Bug 128673

Summary: Enable support of X-Content-Type-Options: nosniff header for EFL
Product: WebKit Reporter: Peter Molnar <pmolnar.u-szeged>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, bunhere, cdumez, commit-queue, gyuyoung.kim, ossy, ptoomey3, rakuco, sergio
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 134010    
Attachments:
Description Flags
patch none

Peter Molnar
Reported 2014-02-12 06:51:07 PST
As other major browsers (IE, Chromium) now support this header, we may consider turning it on, as it protects Webkit users from MIME-sniffing attacks, and it seems like it doesn't break anything. See: https://adblockplus.org/blog/the-hazards-of-mime-sniffing
Attachments
patch (7.41 KB, patch)
2014-02-12 06:52 PST, Peter Molnar 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Peter Molnar
Comment 1 2014-02-12 06:52:37 PST
Created attachment 223967 [details] patch
Peter Molnar
Comment 2 2014-02-27 07:33:49 PST
CCing Adam as the reviewer of the patch that introduced this feature, in http://trac.webkit.org/changeset/142683 .
Gyuyoung Kim
Comment 3 2014-02-27 17:53:22 PST
Comment on attachment 223967 [details] patch It looks this feature is disabled on all ports now. So, r=me for EFL port for now.
WebKit Commit Bot
Comment 4 2014-02-27 18:27:01 PST
Comment on attachment 223967 [details] patch Clearing flags on attachment: 223967 Committed r164848: <http://trac.webkit.org/changeset/164848>
WebKit Commit Bot
Comment 5 2014-02-27 18:27:04 PST
All reviewed patches have been landed. Closing bug.
Csaba Osztrogonác
Comment 6 2014-05-22 03:41:33 PDT
Reopen, because NOSNIFF is still disabled on EFL due to the stronger 0 in Tools/Scripts/webkitperl/FeatureList.pm: { option => "nosniff", desc => "Toggle support for 'X-Content-Type-Options: nosniff'", define => "ENABLE_NOSNIFF", default => 0, value => \$nosniffSupport }, The default 0 should be isEfl().
Csaba Osztrogonác
Comment 7 2014-06-17 23:51:10 PDT
Already fixed in https://trac.webkit.org/changeset/170096
Patrick Toomey
Comment 8 2014-09-18 14:46:30 PDT
What would it take to get this feature enabled for all ports? GitHub recently placed a bounty for getting nosniff merged in https://bugzilla.mozilla.org/show_bug.cgi?id=471020#c47. It looks like we have some interest and are hopeful the feature will get merged in the not too distant future. Once that change lands Safari/Webkit will be the last browser without support.
Patrick Toomey
Comment 9 2014-09-23 07:45:42 PDT
Ah, I had somehow missed https://bugs.webkit.org/show_bug.cgi?id=136452 when searching for bugs related to nosniff. I'll follow the discussion over there.
Note You need to log in before you can comment on or make changes to this bug.