mahara-contributors team mailing list archive

[Aaron Wells <1470281@xxxxxxxxxxxxxxxxxx>]

Actually I think this blog entry provides the best example:
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v
-comprehensive-protection.aspx

"For example, consider the following HTTP-response:

    HTTP/1.1 200 OK
    Content-Length: 108
    Date: Thu, 26 Jun 2008 22:06:28 GMT
    Content-Type: text/plain;
    X-Content-Type-Options: nosniff

    <html>
    <body bgcolor="#AA0000">
    This page renders as HTML source code (text) in IE8.
    </body>
    </html>

In IE7, the text is interpreted as HTML:

IE7 text interpreted as HTML

In IE8, the page is rendered in plaintext:

IE8 text rendered as plain text

Sites hosting untrusted content can use the nosniff directive to ensure
that text/plain files are not sniffed to anything else."

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470281

Title:
  Use "nosniff" header to prevent potential XSS via untrusted files in
  IE

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  In Progress

Bug description:
  Yuliya posted this one directly into Gerrit:
  https://reviews.mahara.org/#/c/4821/

  Use nosniff header to prevent potential XSS via untrusted files in IE

  See
   - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
   - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  Solution is to add it to file serving code in places where we do
  forced download of files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470281/+subscriptions