Mantis - Quercus
|
|||||
Viewing Issue Advanced Details | |||||
|
|||||
ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
5972 | minor | always | 01-14-16 13:10 | 02-10-16 12:06 | |
|
|||||
Reporter: | nam | Platform: | |||
Assigned To: | nam | OS: | |||
Priority: | normal | OS Version: | |||
Status: | closed | Product Version: | |||
Product Build: | Resolution: | fixed | |||
Projection: | none | ||||
ETA: | none | Fixed in Version: | |||
|
|||||
Summary: | 0005972: add microsoft excel content types to app-default.xml | ||||
Description: |
(req by S. Busch) The OWASP (Open Web Application Security Project) recommends the HTTP Header X-Content-Type-Options: nosniff See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers [^] <..> The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. <..> When I set this header with Resin 4.0 <resin:SetHeader name="X-Content-Type-Options" value="nosniff"/> I can see some "broken" downloads of PowerPoint or Excel Files with an Office 2010 and above file extension like *.pptx or *.xlsx. With "broken" I mean that Chrome is displaying the content of the binary/xml file in the browser rather than downloading it. I've checked the network traffic with Chrome and Resin 4.0.46 does not deliver a Content-Type http header for such an .pptx or .xlsx file. $RESIN_HOME/conf/app-default.xml does not define a mime-mapping for these extensions. Would it be possible to add them with one of the next Resin releases? 106a107,111 > <mime-mapping extension=".dot" mime-type="application/msword"/> > <mime-mapping extension=".docx" mime-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/> > <mime-mapping extension=".dotx" mime-type="application/vnd.openxmlformats-officedocument.wordprocessingml.template"/> > <mime-mapping extension=".docm" mime-type="application/vnd.ms-word.document.macroEnabled.12"/> > <mime-mapping extension=".dotm" mime-type="application/vnd.ms-word.template.macroEnabled.12"/> 167a173,182 > <mime-mapping extension=".pot" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".pps" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".ppa" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".pptx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.presentation"/> > <mime-mapping extension=".potx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.template"/> > <mime-mapping extension=".ppsx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.slideshow"/> > <mime-mapping extension=".ppam" mime-type="application/vnd.ms-powerpoint.addin.macroEnabled.12"/> > <mime-mapping extension=".pptm" mime-type="application/vnd.ms-powerpoint.presentation.macroEnabled.12"/> > <mime-mapping extension=".potm" mime-type="application/vnd.ms-powerpoint.presentation.macroEnabled.12"/> > <mime-mapping extension=".ppsm" mime-type="application/vnd.ms-powerpoint.slideshow.macroEnabled.12"/> 244a260,267 > <mime-mapping extension=".xlt" mime-type="application/vnd.ms-excel"/> > <mime-mapping extension=".xla" mime-type="application/vnd.ms-excel"/> > <mime-mapping extension=".xlsx" mime-type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"/> > <mime-mapping extension=".xltx" mime-type="application/vnd.openxmlformats-officedocument.spreadsheetml.template"/> > <mime-mapping extension=".xlsm" mime-type="application/vnd.ms-excel.sheet.macroEnabled.12"/> > <mime-mapping extension=".xltm" mime-type="application/vnd.ms-excel.template.macroEnabled.12"/> > <mime-mapping extension=".xlam" mime-type="application/vnd.ms-excel.addin.macroEnabled.12"/> > <mime-mapping extension=".xlsb" mime-type="application/vnd.ms-excel.sheet.binary.macroEnabled.12"/> For the moment I'm extending by local copy of app-default.xml |
||||
Steps To Reproduce: | |||||
Additional Information: | |||||
Relationships | |||||
Attached Files: |
Notes | |||||
|
|||||
|
|