From 1f380a65489aaba918f0a39f2e4ce24d681965ac Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Mon, 5 Jan 2015 09:57:30 +0000
Subject: [PATCH] Issue #462950 by pwolanin: Mitigate the security risks that
 come from IE and other browsers trying to sniff the mime type

---
 .htaccess                                        |  6 ++++++
 .../EventSubscriber/FinishResponseSubscriber.php |  6 ++++++
 .../system/src/Tests/Routing/RouterTest.php      | 16 +++++++++-------
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/.htaccess b/.htaccess
index 5248bd85d619..7db5d3e57868 100644
--- a/.htaccess
+++ b/.htaccess
@@ -165,3 +165,9 @@ DirectoryIndex index.php index.html index.htm
     </FilesMatch>
   </IfModule>
 </IfModule>
+
+# Add headers to all responses.
+<IfModule mod_headers.c>
+  # Disable content sniffing, since it's an attack vector.
+  Header always set X-Content-Type-Options nosniff
+</IfModule>
diff --git a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
index fb68b07a0425..963795ed5185 100644
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -96,6 +96,12 @@ public function onRespond(FilterResponseEvent $event) {
     // Set the Content-language header.
     $response->headers->set('Content-language', $this->languageManager->getCurrentLanguage()->getId());
 
+    // Prevent browsers from sniffing a response and picking a MIME type
+    // different from the declared content-type, since that can lead to
+    // XSS and other vulnerabilities.
+    // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
+
     // Attach globally-declared headers to the response object so that Symfony
     // can send them for us correctly.
     // @todo Remove this once drupal_process_attached() no longer calls
diff --git a/core/modules/system/src/Tests/Routing/RouterTest.php b/core/modules/system/src/Tests/Routing/RouterTest.php
index 5651768a6d00..e3287595e539 100644
--- a/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/core/modules/system/src/Tests/Routing/RouterTest.php
@@ -25,17 +25,19 @@ class RouterTest extends WebTestBase {
   public static $modules = array('block', 'router_test');
 
   /**
-   * Confirms that the router can get to a controller.
+   * Confirms that our default controller logic works properly.
    */
-  public function testCanRoute() {
+  public function testDefaultController() {
+    // Confirm that the router can get to a controller.
     $this->drupalGet('router_test/test1');
     $this->assertRaw('test1', 'The correct string was returned because the route was successful.');
-  }
 
-  /**
-   * Confirms that our default controller logic works properly.
-   */
-  public function testDefaultController() {
+    // Check expected headers from FinishResponseSubscriber
+    $headers = $this->drupalGetHeaders();
+    $this->assertEqual($headers['x-ua-compatible'], 'IE=edge,chrome=1');
+    $this->assertEqual($headers['content-language'], 'en');
+    $this->assertEqual($headers['x-content-type-options'], 'nosniff');
+
     $this->drupalGet('router_test/test2');
     $this->assertRaw('test2', 'The correct string was returned because the route was successful.');
 
-- 
GitLab