| Anonymous | Login | Signup for a new account | 04-26-2024 06:19 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0005972 | [Quercus] | minor | always | 01-14-16 13:10 | 02-10-16 12:06 | ||||
| Reporter | nam | View Status | public | ||||||
| Assigned To | nam | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | |||||||
| Summary | 0005972: add microsoft excel content types to app-default.xml | ||||||||
| Description |
(req by S. Busch) The OWASP (Open Web Application Security Project) recommends the HTTP Header X-Content-Type-Options: nosniff See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers [^] <..> The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. <..> When I set this header with Resin 4.0 <resin:SetHeader name="X-Content-Type-Options" value="nosniff"/> I can see some "broken" downloads of PowerPoint or Excel Files with an Office 2010 and above file extension like *.pptx or *.xlsx. With "broken" I mean that Chrome is displaying the content of the binary/xml file in the browser rather than downloading it. I've checked the network traffic with Chrome and Resin 4.0.46 does not deliver a Content-Type http header for such an .pptx or .xlsx file. $RESIN_HOME/conf/app-default.xml does not define a mime-mapping for these extensions. Would it be possible to add them with one of the next Resin releases? 106a107,111 > <mime-mapping extension=".dot" mime-type="application/msword"/> > <mime-mapping extension=".docx" mime-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/> > <mime-mapping extension=".dotx" mime-type="application/vnd.openxmlformats-officedocument.wordprocessingml.template"/> > <mime-mapping extension=".docm" mime-type="application/vnd.ms-word.document.macroEnabled.12"/> > <mime-mapping extension=".dotm" mime-type="application/vnd.ms-word.template.macroEnabled.12"/> 167a173,182 > <mime-mapping extension=".pot" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".pps" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".ppa" mime-type="application/vnd.ms-powerpoint"/> > <mime-mapping extension=".pptx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.presentation"/> > <mime-mapping extension=".potx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.template"/> > <mime-mapping extension=".ppsx" mime-type="application/vnd.openxmlformats-officedocument.presentationml.slideshow"/> > <mime-mapping extension=".ppam" mime-type="application/vnd.ms-powerpoint.addin.macroEnabled.12"/> > <mime-mapping extension=".pptm" mime-type="application/vnd.ms-powerpoint.presentation.macroEnabled.12"/> > <mime-mapping extension=".potm" mime-type="application/vnd.ms-powerpoint.presentation.macroEnabled.12"/> > <mime-mapping extension=".ppsm" mime-type="application/vnd.ms-powerpoint.slideshow.macroEnabled.12"/> 244a260,267 > <mime-mapping extension=".xlt" mime-type="application/vnd.ms-excel"/> > <mime-mapping extension=".xla" mime-type="application/vnd.ms-excel"/> > <mime-mapping extension=".xlsx" mime-type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"/> > <mime-mapping extension=".xltx" mime-type="application/vnd.openxmlformats-officedocument.spreadsheetml.template"/> > <mime-mapping extension=".xlsm" mime-type="application/vnd.ms-excel.sheet.macroEnabled.12"/> > <mime-mapping extension=".xltm" mime-type="application/vnd.ms-excel.template.macroEnabled.12"/> > <mime-mapping extension=".xlam" mime-type="application/vnd.ms-excel.addin.macroEnabled.12"/> > <mime-mapping extension=".xlsb" mime-type="application/vnd.ms-excel.sheet.binary.macroEnabled.12"/> For the moment I'm extending by local copy of app-default.xml |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0006675) nam 02-10-16 12:06 |
Added to 4.0.48. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 01-14-16 13:10 | nam | New Issue | |
| 02-02-16 11:05 | stbu | Issue Monitored: stbu | |
| 02-10-16 11:58 | nam | Status | new => assigned |
| 02-10-16 11:58 | nam | Assigned To | => nam |
| 02-10-16 12:06 | nam | Status | assigned => closed |
| 02-10-16 12:06 | nam | Note Added: 0006675 | |
| 02-10-16 12:06 | nam | Resolution | open => fixed |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |  |
