Merge "Use nosniff header to prevent potential XSS via untrusted files in IE"

209b78f1 · Aaron Wells · Gerrit Code Review · af95a779 · 96b117e5 · 209b78f1
Commit 209b78f1 authored Jul 10, 2015 by Aaron Wells Committed by Gerrit Code Review Jul 10, 2015
--- a/htdocs/lib/file.php
+++ b/htdocs/lib/file.php
@@ -89,6 +89,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
    else {
        header('Content-Disposition: inline; filename="' . $filename . '"');
    }
+    header('X-Content-Type-Options: nosniff');

    if ($options['lifetime'] > 0 && !get_config('nocache')) {
        header('Cache-Control: max-age=' . $options['lifetime']);