Issue #462950 by pwolanin: Mitigate the security risks that come from IE and...

Issue #462950 by pwolanin: Mitigate the security risks that come from IE and other browsers trying to sniff the mime type

Issue #462950 by pwolanin: Mitigate the security risks that come from IE and...
1f380a65 · Alex Pott · 1601b088 · 1f380a65 · 1f380a65 · 1f380a65
Commit 1f380a65 authored 10 years ago by Alex Pott
--- a/.htaccess
+++ b/.htaccess
@@ -165,3 +165,9 @@ DirectoryIndex index.php index.html index.htm
    </FilesMatch>
  </IfModule>
 </IfModule>
+
+# Add headers to all responses.
+<IfModule mod_headers.c>
+  # Disable content sniffing, since it's an attack vector.
+  Header always set X-Content-Type-Options nosniff
+</IfModule>
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -96,6 +96,12 @@ public function onRespond(FilterResponseEvent $event) {
    // Set the Content-language header.
    $response->headers->set('Content-language', $this->languageManager->getCurrentLanguage()->getId());

+    // Prevent browsers from sniffing a response and picking a MIME type
+    // different from the declared content-type, since that can lead to
+    // XSS and other vulnerabilities.
+    // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
+
    // Attach globally-declared headers to the response object so that Symfony
    // can send them for us correctly.
    // @todo Remove this once drupal_process_attached() no longer calls

--- a/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/core/modules/system/src/Tests/Routing/RouterTest.php
@@ -25,17 +25,19 @@ class RouterTest extends WebTestBase {
  public static $modules = array('block', 'router_test');

  /**
-   * Confirms that the router can get to a controller.
+   * Confirms that our default controller logic works properly.
   */
-  public function testCanRoute() {
+  public function testDefaultController() {
+    // Confirm that the router can get to a controller.
    $this->drupalGet('router_test/test1');
    $this->assertRaw('test1', 'The correct string was returned because the route was successful.');
-  }

-  /**
-   * Confirms that our default controller logic works properly.
-   */
-  public function testDefaultController() {
+    // Check expected headers from FinishResponseSubscriber
+    $headers = $this->drupalGetHeaders();
+    $this->assertEqual($headers['x-ua-compatible'], 'IE=edge,chrome=1');
+    $this->assertEqual($headers['content-language'], 'en');
+    $this->assertEqual($headers['x-content-type-options'], 'nosniff');
+
    $this->drupalGet('router_test/test2');
    $this->assertRaw('test2', 'The correct string was returned because the route was successful.');