Bug 1120260 - Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing
Summary: Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: EAP 6.4.0
Assignee: Rémy Maucherat
QA Contact: Michael Cada
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-16 14:49 UTC by Radim Hatlapatka
Modified: 2019-08-19 12:44 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:44:59 UTC
Type: Enhancement


Attachments (Terms of Use)
revok detailed report (174.56 KB, text/html)
2014-07-16 14:49 UTC, Radim Hatlapatka
no flags Details

Description Radim Hatlapatka 2014-07-16 14:49:37 UTC
Created attachment 918445 [details]
revok detailed report

If a MIME type mismatch is found and nosniff header is missing, it increases chances of getting exposed to XSS attacks. Some browsers will automatically switch to using an interpreter for the real content type. This increases exposure to XSS attack.

To mitigate chances of exposing it define response header X-Content-Type-Options: nosniff or make sure MIME type mismatch not exist

For details see revok report in attachment


Note You need to log in before you can comment on or make changes to this bug.