Bug 128673

Summary: Enable support of X-Content-Type-Options: nosniff header for EFL
Product: WebKit Reporter: Peter Molnar <pmolnar.u-szeged>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Severity: Normal CC: abarth, bunhere, cdumez, commit-queue, gyuyoung.kim, ossy, ptoomey3, rakuco, sergio
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 134010    
Description Flags
patch none

Description Peter Molnar 2014-02-12 06:51:07 PST
As other major browsers (IE, Chromium) now support this header, we may consider turning it on, as it protects Webkit users from MIME-sniffing attacks, and it seems like it doesn't break anything.

See: https://adblockplus.org/blog/the-hazards-of-mime-sniffing
Comment 1 Peter Molnar 2014-02-12 06:52:37 PST
Created attachment 223967 [details]
Comment 2 Peter Molnar 2014-02-27 07:33:49 PST
CCing Adam as the reviewer of the patch that introduced this feature, in http://trac.webkit.org/changeset/142683 .
Comment 3 Gyuyoung Kim 2014-02-27 17:53:22 PST
Comment on attachment 223967 [details]

It looks this feature is disabled on all ports now. So, r=me for EFL port for now.
Comment 4 WebKit Commit Bot 2014-02-27 18:27:01 PST
Comment on attachment 223967 [details]

Clearing flags on attachment: 223967

Committed r164848: <http://trac.webkit.org/changeset/164848>
Comment 5 WebKit Commit Bot 2014-02-27 18:27:04 PST
All reviewed patches have been landed.  Closing bug.
Comment 6 Csaba Osztrogon√°c 2014-05-22 03:41:33 PDT
Reopen, because NOSNIFF is still disabled on EFL due to the
stronger 0 in Tools/Scripts/webkitperl/FeatureList.pm:

    { option => "nosniff", desc => "Toggle support for 'X-Content-Type-Options: nosniff'",
      define => "ENABLE_NOSNIFF", default => 0, value => \$nosniffSupport },

The default 0 should be isEfl().
Comment 7 Csaba Osztrogon√°c 2014-06-17 23:51:10 PDT
Already fixed in https://trac.webkit.org/changeset/170096
Comment 8 Patrick Toomey 2014-09-18 14:46:30 PDT
What would it take to get this feature enabled for all ports? GitHub recently placed a bounty for getting nosniff merged in https://bugzilla.mozilla.org/show_bug.cgi?id=471020#c47. It looks like we have some interest and are hopeful the feature will get merged in the not too distant future. Once that change lands Safari/Webkit will be the last browser without support.
Comment 9 Patrick Toomey 2014-09-23 07:45:42 PDT
Ah, I had somehow missed https://bugs.webkit.org/show_bug.cgi?id=136452 when searching for bugs related to nosniff. I'll follow the discussion over there.