Issue #2854817 by Liam Morland, longwave, alexpott, JoshaHubbers, effulgentsia, alex-b, Mile23, thalles, mr.baileys, Wim Leers, xjm: Duplicate X-Content-Type-Options headers both with the value nosniff

2023-01-26 06:37:33 -06:00 · 2023-01-26 06:37:33 -06:00 · e7b87b5c20
parent e505dc7d76
commit e7b87b5c20
2 changed files with 14 additions and 2 deletions
--- a/.htaccess
+++ b/.htaccess
@ -173,7 +173,13 @@ AddEncoding gzip svgz
 # Various header fixes.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
+  # Disable content sniffing for all responses, since it's an attack vector.
  # This header is also set in FinishResponseSubscriber, which depending on
  # Apache configuration might get placed in the 'onsuccess' table. To prevent
  # header duplication, unset that one prior to setting in the 'always' table.
  # See "To circumvent this limitation..." in
  # https://httpd.apache.org/docs/current/mod/mod_headers.html.
  Header onsuccess unset X-Content-Type-Options
  Header always set X-Content-Type-Options nosniff
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@ -173,7 +173,13 @@ AddEncoding gzip svgz
 # Various header fixes.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
+  # Disable content sniffing for all responses, since it's an attack vector.
  # This header is also set in FinishResponseSubscriber, which depending on
  # Apache configuration might get placed in the 'onsuccess' table. To prevent
  # header duplication, unset that one prior to setting in the 'always' table.
  # See "To circumvent this limitation..." in
  # https://httpd.apache.org/docs/current/mod/mod_headers.html.
  Header onsuccess unset X-Content-Type-Options
  Header always set X-Content-Type-Options nosniff
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy