From e7b87b5c2027f97d7a31a1aa96d28bf83acc2919 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Thu, 26 Jan 2023 06:37:33 -0600
Subject: [PATCH] Issue #2854817 by Liam Morland, longwave, alexpott,
 JoshaHubbers, effulgentsia, alex-b, Mile23, thalles, mr.baileys, Wim Leers,
 xjm: Duplicate X-Content-Type-Options headers both with the value nosniff

---
 .htaccess                           | 8 +++++++-
 core/assets/scaffold/files/htaccess | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.htaccess b/.htaccess
index 116acf42fb3..6644ce04548 100644
--- a/.htaccess
+++ b/.htaccess
@@ -173,7 +173,13 @@ AddEncoding gzip svgz
 
 # Various header fixes.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
+  # Disable content sniffing for all responses, since it's an attack vector.
+  # This header is also set in FinishResponseSubscriber, which depending on
+  # Apache configuration might get placed in the 'onsuccess' table. To prevent
+  # header duplication, unset that one prior to setting in the 'always' table.
+  # See "To circumvent this limitation..." in
+  # https://httpd.apache.org/docs/current/mod/mod_headers.html.
+  Header onsuccess unset X-Content-Type-Options
   Header always set X-Content-Type-Options nosniff
   # Disable Proxy header, since it's an attack vector.
   RequestHeader unset Proxy
diff --git a/core/assets/scaffold/files/htaccess b/core/assets/scaffold/files/htaccess
index 116acf42fb3..6644ce04548 100644
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@@ -173,7 +173,13 @@ AddEncoding gzip svgz
 
 # Various header fixes.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
+  # Disable content sniffing for all responses, since it's an attack vector.
+  # This header is also set in FinishResponseSubscriber, which depending on
+  # Apache configuration might get placed in the 'onsuccess' table. To prevent
+  # header duplication, unset that one prior to setting in the 'always' table.
+  # See "To circumvent this limitation..." in
+  # https://httpd.apache.org/docs/current/mod/mod_headers.html.
+  Header onsuccess unset X-Content-Type-Options
   Header always set X-Content-Type-Options nosniff
   # Disable Proxy header, since it's an attack vector.
   RequestHeader unset Proxy