ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jler...@apache.org
Subject svn commit: r1719682 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Date Sat, 12 Dec 2015 12:58:18 GMT
Author: jleroux
Date: Sat Dec 12 12:58:18 2015
New Revision: 1719682

URL: http://svn.apache.org/viewvc?rev=1719682&view=rev
Log:
2nd step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766

Adds X-Content-Type-Options. According to Wikipedia and Owasp, the only defined value, "nosniff",
prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
This also applies to Google Chrome, when downloading extensions.

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719682&r1=1719681&r2=1719682&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec
12 12:58:18 2015
@@ -1004,6 +1004,10 @@ public class RequestHandler {
                 resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
             }
         }
+        
+        //The only x-vontent-type-options defined value, "nosniff", prevents Internet Explorer
from MIME-sniffing a response away from the declared content-type. 
+        // This also applies to Google Chrome, when downloading extensions.
+        resp.addHeader("x-vontent-type-options", "nosniff"); 
 
         try {
             if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of
type [" + viewMap.type + "]", module);



Mime
View raw message