Bug 128673 - Enable support of X-Content-Type-Options: nosniff header for EFL
Summary: Enable support of X-Content-Type-Options: nosniff header for EFL
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Depends on:
Blocks: 134010
  Show dependency treegraph
Reported: 2014-02-12 06:51 PST by Peter Molnar
Modified: 2014-09-23 07:45 PDT (History)
9 users (show)

See Also:

patch (7.41 KB, patch)
2014-02-12 06:52 PST, Peter Molnar
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Molnar 2014-02-12 06:51:07 PST
As other major browsers (IE, Chromium) now support this header, we may consider turning it on, as it protects Webkit users from MIME-sniffing attacks, and it seems like it doesn't break anything.

See: https://adblockplus.org/blog/the-hazards-of-mime-sniffing
Comment 1 Peter Molnar 2014-02-12 06:52:37 PST
Created attachment 223967 [details]
Comment 2 Peter Molnar 2014-02-27 07:33:49 PST
CCing Adam as the reviewer of the patch that introduced this feature, in http://trac.webkit.org/changeset/142683 .
Comment 3 Gyuyoung Kim 2014-02-27 17:53:22 PST
Comment on attachment 223967 [details]

It looks this feature is disabled on all ports now. So, r=me for EFL port for now.
Comment 4 WebKit Commit Bot 2014-02-27 18:27:01 PST
Comment on attachment 223967 [details]

Clearing flags on attachment: 223967

Committed r164848: <http://trac.webkit.org/changeset/164848>
Comment 5 WebKit Commit Bot 2014-02-27 18:27:04 PST
All reviewed patches have been landed.  Closing bug.
Comment 6 Csaba Osztrogonác 2014-05-22 03:41:33 PDT
Reopen, because NOSNIFF is still disabled on EFL due to the
stronger 0 in Tools/Scripts/webkitperl/FeatureList.pm:

    { option => "nosniff", desc => "Toggle support for 'X-Content-Type-Options: nosniff'",
      define => "ENABLE_NOSNIFF", default => 0, value => \$nosniffSupport },

The default 0 should be isEfl().
Comment 7 Csaba Osztrogonác 2014-06-17 23:51:10 PDT
Already fixed in https://trac.webkit.org/changeset/170096
Comment 8 Patrick Toomey 2014-09-18 14:46:30 PDT
What would it take to get this feature enabled for all ports? GitHub recently placed a bounty for getting nosniff merged in https://bugzilla.mozilla.org/show_bug.cgi?id=471020#c47. It looks like we have some interest and are hopeful the feature will get merged in the not too distant future. Once that change lands Safari/Webkit will be the last browser without support.
Comment 9 Patrick Toomey 2014-09-23 07:45:42 PDT
Ah, I had somehow missed https://bugs.webkit.org/show_bug.cgi?id=136452 when searching for bugs related to nosniff. I'll follow the discussion over there.