Issue #462950 by pwolanin: Mitigate the security risks that come from IE and other browsers trying to sniff the mime type

2015-01-05 09:57:30 +00:00 · 2015-01-05 09:57:30 +00:00 · 1f380a6548
parent 1601b088fa
commit 1f380a6548
3 changed files with 22 additions and 8 deletions
--- a/.htaccess
+++ b/.htaccess
@ -165,3 +165,9 @@ DirectoryIndex index.php index.html index.htm
    </FilesMatch>
  </IfModule>
 </IfModule>
+
+# Add headers to all responses.
+<IfModule mod_headers.c>
+  # Disable content sniffing, since it's an attack vector.
+  Header always set X-Content-Type-Options nosniff
+</IfModule>
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@ -96,6 +96,12 @@ class FinishResponseSubscriber implements EventSubscriberInterface {
    // Set the Content-language header.
    $response->headers->set('Content-language', $this->languageManager->getCurrentLanguage()->getId());

+    // Prevent browsers from sniffing a response and picking a MIME type
+    // different from the declared content-type, since that can lead to
+    // XSS and other vulnerabilities.
+    // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
+
    // Attach globally-declared headers to the response object so that Symfony
    // can send them for us correctly.
    // @todo Remove this once drupal_process_attached() no longer calls
--- a/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/core/modules/system/src/Tests/Routing/RouterTest.php
@ -24,18 +24,20 @@ class RouterTest extends WebTestBase {
   */
  public static $modules = array('block', 'router_test');

-  /**
-   * Confirms that the router can get to a controller.
-   */
-  public function testCanRoute() {
-    $this->drupalGet('router_test/test1');
-    $this->assertRaw('test1', 'The correct string was returned because the route was successful.');
-  }
-
  /**
   * Confirms that our default controller logic works properly.
   */
  public function testDefaultController() {
+    // Confirm that the router can get to a controller.
+    $this->drupalGet('router_test/test1');
+    $this->assertRaw('test1', 'The correct string was returned because the route was successful.');
+
+    // Check expected headers from FinishResponseSubscriber
+    $headers = $this->drupalGetHeaders();
+    $this->assertEqual($headers['x-ua-compatible'], 'IE=edge,chrome=1');
+    $this->assertEqual($headers['content-language'], 'en');
+    $this->assertEqual($headers['x-content-type-options'], 'nosniff');
+
    $this->drupalGet('router_test/test2');
    $this->assertRaw('test2', 'The correct string was returned because the route was successful.');