holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

always send X-Content-Type-Options: nosniff

Browse Source 
It does not harm and stops unpredictable results from browsers changing our content-types
(FF 50+ now also supports nosniff)
This commit is contained in:
Ralf Becker 2017-10-25 17:34:59 +02:00
parent d11fe532d8
commit 77b42dd9a4
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
api/src/Header/Content.php
View File

@ -50,7 +50,8 @@ class Content
in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css'))) in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css')))
{ {
// unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff // unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff
if (UserAgent::type() == 'chrome' || UserAgent::type() == 'msie' && UserAgent::version() >= 8) if (UserAgent::type() == 'chrome' || UserAgent::type() == 'msie' && UserAgent::version() >= 8 ||
UserAgent::type() == 'firefox' && UserAgent::version() >= 50)
{ {
$mime = 'text/plain'; $mime = 'text/plain';
header('X-Content-Type-Options: nosniff'); // stop IE & Chrome from content-type sniffing header('X-Content-Type-Options: nosniff'); // stop IE & Chrome from content-type sniffing
@ -65,7 +66,7 @@ class Content
{ {
$data = fread($content, $length); $data = fread($content, $length);
fclose($content); fclose($content);
$content =& $data; $content = $data;
unset($data); unset($data);
} }
$content = '<pre>'.$content; $content = '<pre>'.$content;
@ -94,6 +95,9 @@ class Content
$force_download = true; $force_download = true;
} }
} }
// always tell browser to do not sniffing / use our content-type
header('X-Content-Type-Options: nosniff');
if ($no_content_type) if ($no_content_type)
{ {
if ($force_download) self::disposition(Api\Vfs::basename($path), $force_download); if ($force_download) self::disposition(Api\Vfs::basename($path), $force_download);