From 77b42dd9a42d2a410874401b167084dd26b758fb Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Wed, 25 Oct 2017 17:34:59 +0200
Subject: [PATCH] always send X-Content-Type-Options: nosniff It does not harm
 and stops unpredictable results from browsers changing our content-types (FF
 50+ now also supports nosniff)

---
 api/src/Header/Content.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/api/src/Header/Content.php b/api/src/Header/Content.php
index 3c70f6467b..dfcf89a7ea 100644
--- a/api/src/Header/Content.php
+++ b/api/src/Header/Content.php
@@ -50,7 +50,8 @@ class Content
 			in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css')))
 		{
 			// unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff
-			if (UserAgent::type() == 'chrome' || UserAgent::type() == 'msie' && UserAgent::version() >= 8)
+			if (UserAgent::type() == 'chrome' || UserAgent::type() == 'msie' && UserAgent::version() >= 8 ||
+				UserAgent::type() == 'firefox' && UserAgent::version() >= 50)
 			{
 				$mime = 'text/plain';
 				header('X-Content-Type-Options: nosniff');	// stop IE & Chrome from content-type sniffing
@@ -65,7 +66,7 @@ class Content
 				{
 					$data = fread($content, $length);
 					fclose($content);
-					$content =& $data;
+					$content = $data;
 					unset($data);
 				}
 				$content = '<pre>'.$content;
@@ -94,6 +95,9 @@ class Content
 				$force_download = true;
 			}
 		}
+		// always tell browser to do not sniffing / use our content-type
+		header('X-Content-Type-Options: nosniff');
+
 		if ($no_content_type)
 		{
 			if ($force_download) self::disposition(Api\Vfs::basename($path), $force_download);