Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require X-Content-Type-Options headers for all responses? [3] #1221

Closed
GuillaumeRossolini opened this issue Aug 8, 2018 · 3 comments
Closed

Require X-Content-Type-Options headers for all responses? [3] #1221

GuillaumeRossolini opened this issue Aug 8, 2018 · 3 comments
Assignees
@utsavized
Labels
area:hint enhancement
Milestone
1902-1

Comments

@GuillaumeRossolini
Copy link

Following your recommendation (through the webapp), we kept the "X-Content-Type-Options" response header only for JavaScript and CSS resources. However, another recommendation of the community (in this case Scott Helme) is to use this same header for all content types, though MDN seems to agree with you rather that Scott.

Example here:
https://securityheaders.com/?q=https%3A%2F%2Fwww.instantluxe.com%2F&followRedirects=on

I'm confused as to how this header should be used.
@GuillaumeRossolini GuillaumeRossolini changed the title About About X-Content-Type-Options Aug 8, 2018
@alrra
Copy link
Contributor

alrra commented Aug 8, 2018
edited
Loading

@GuillaumeRossolini Thanks for opening this issue.

I'm confused as to how this header should be used.

From our docs:

Note: Modern browsers only respect the header for scripts and stylesheets, and sending the header for other resources (such as images) when they are served with the wrong media type may create problems in older browsers.

But, given the recent discussions (#767, whatwg/misc-server#90 (comment)), we should probably revert the change made in 6a2f29b.

@alrra alrra changed the title About X-Content-Type-Options Require X-Content-Type-Options headers for all responses? Aug 8, 2018
@emilbjorklund
Copy link

Further feedback on this: found this thread on Mozilla's HTTP Observatory, which in turn links to Google’s docs on how they mitigate side-channel attacks, which then links to docs on Chrome's CORB, which says this:

CORB decides whether a response needs protection (i.e. if a response is a JSON, HTML or XML resource) based on the following:

  • If the response contains X-Content-Type-Options: nosniff response header, then the response will be CORB-protected if its Content-Type header is one of the following:
    • HTML MIME type
    • XML MIME type (except image/svg+xml which is CORB-exempt as described above)
    • JSON MIME type
    • text/plain

[...]

@rugk
Copy link

rugk commented Dec 11, 2018

Actually also "HTML" can be a malicious mime type, as it can obviously embed JS. (Maybe also other types such as SVG?)

See https://www.youtube.com/watch?v=dBJt3eR8-bg for a talk by @hannob on that subject.

@rugk rugk mentioned this issue Dec 11, 2018
Closed
@molant molant added this to the 1901-02 milestone Jan 14, 2019
@utsavized utsavized modified the milestones: 1901-2, 1901-1 Jan 14, 2019
@utsavized utsavized changed the title Require X-Content-Type-Options headers for all responses? Require X-Content-Type-Options headers for all responses? [0.5] Jan 24, 2019
@antross antross modified the milestones: 1901-2, 1902-1 Jan 28, 2019
utsavized added a commit to utsavized/hint that referenced this issue Feb 6, 2019
@utsavized
New: Update hint to check for XCTO header on all resources
0920125 
This reverts changes added to check for this header only
on scripts and stylesheets, and instead, checks for the header
on all resources. MDN suggests the former, but Chromium uses
this response header on more than script/stylesheets for
CORB.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ref webhintio#1221

Close webhintio#1221
@utsavized utsavized mentioned this issue Feb 6, 2019
Merged
4 tasks
@utsavized utsavized changed the title Require X-Content-Type-Options headers for all responses? [0.5] Require X-Content-Type-Options headers for all responses? [3] Feb 6, 2019
molant pushed a commit that referenced this issue Feb 7, 2019
@utsavized @molant
Breaking: Update hint to check for XCTO header on all resources
4f69029 
This reverts changes added to check for this header only on
scripts and stylesheets, and instead, checks for the header
on all resources. MDN suggests the former, but Chromium uses
this response header on more than script/stylesheets for
CORB.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Fix #1221
Close #1842
molant pushed a commit that referenced this issue Feb 7, 2019
@utsavized @molant
Breaking: Update hint to check for XCTO header on all resources
806740b 
This reverts changes added to check for this header only on
scripts and stylesheets, and instead, checks for the header
on all resources. MDN suggests the former, but Chromium uses
this response header on more than script/stylesheets for
CORB.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Fix #1221
Close #1842
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@utsavized utsavized

Labels
area:hint enhancement
Projects
None yet
Milestone
1902-1
Development

No branches or pull requests
7 participants
@emilbjorklund @molant @antross @utsavized @alrra @GuillaumeRossolini @rugk