Changeset 248deae

Timestamp:

Feb 25, 2016 2:56:06 PM (5 years ago)

Author:

zzz <zzz@…>

Branches:

master

Children:

90a915b

Parents:

a79b25d

Message:

Console: Add X-Content-Type-Options header everywhere (ticket #1763)

Location:

apps

Files:

• i2psnark/java/src/org/klomp/snark/web/BasicServlet.java (modified) (2 diffs)
• i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java (modified) (1 diff)
• i2ptunnel/jsp/edit.jsp (modified) (1 diff)
• i2ptunnel/jsp/index.jsp (modified) (1 diff)
• i2ptunnel/jsp/wizard.jsp (modified) (1 diff)
• imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java (modified) (1 diff)
• imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java (modified) (1 diff)
• imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java (modified) (1 diff)
• routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java (modified) (1 diff)
• routerconsole/jsp/css.jsi (modified) (1 diff)
• routerconsole/jsp/flags.jsp (modified) (1 diff)
• routerconsole/jsp/viewhistory.jsp (modified) (1 diff)
• routerconsole/jsp/viewstat.jsp (modified) (1 diff)
• routerconsole/jsp/viewtheme.jsp (modified) (1 diff)
• routerconsole/jsp/xhr1.jsp (modified) (1 diff)
• susidns/src/jsp/addressbook.jsp (modified) (1 diff)
• susidns/src/jsp/config.jsp (modified) (1 diff)
• susidns/src/jsp/details.jsp (modified) (1 diff)
• susidns/src/jsp/export.jsp (modified) (1 diff)
• susidns/src/jsp/index.jsp (modified) (1 diff)
• susidns/src/jsp/subscriptions.jsp (modified) (1 diff)
• susimail/src/src/i2p/susi/webmail/WebMail.java (modified) (1 diff)

apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java

@@ -379 +379 @@
         if (content.getContentType()!=null && response.getContentType()==null)
             response.setContentType(content.getContentType());
-        
+        response.setHeader("X-Content-Type-Options", "nosniff");
         long lml = content.getLastModified();
         if (lml > 0)
@@ -395 +395 @@
         if (ct>=0)
             response.setHeader("Cache-Control", "public, max-age=" + ct);
-
     }
 

apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

@@ -380 +380 @@
         resp.setHeader("X-Frame-Options", "SAMEORIGIN");
         resp.setHeader("X-XSS-Protection", "1; mode=block");
+        resp.setHeader("X-Content-Type-Options", "nosniff");
     }
 

apps/i2ptunnel/jsp/edit.jsp

@@ -6 +6 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"

apps/i2ptunnel/jsp/index.jsp

@@ -9 +9 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"

apps/i2ptunnel/jsp/wizard.jsp

@@ -9 +9 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %><%@page pageEncoding="UTF-8"

apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java

@@ -167 +167 @@
                         // return image bytes to requester
                         response.setContentType(IDENTICON_IMAGE_MIMETYPE);
+                        response.setHeader("X-Content-Type-Options", "nosniff");
                         response.setContentLength(imageBytes.length);
                         response.getOutputStream().write(imageBytes);

apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java

@@ -192 +192 @@
                         // return image bytes to requester
                         response.setContentType(IDENTICON_IMAGE_MIMETYPE);
+                        response.setHeader("X-Content-Type-Options", "nosniff");
                         response.setContentLength(imageBytes.length);
                         response.getOutputStream().write(imageBytes);

apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java

@@ -63 +63 @@
                                         response.setCharacterEncoding("UTF-8");
                                 }
+                                response.setHeader("X-Content-Type-Options", "nosniff");
                                 buf.append(RandomArt.gnutls_key_fingerprint_randomart(h.getData(), "SHA", 256, "", true, html));
                                 if (html)

apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java

@@ -42 +42 @@
          
          srs.setContentType("image/png");
+         srs.setHeader("X-Content-Type-Options", "nosniff");
          srs.setDateHeader("Expires", I2PAppContext.getGlobalContext().clock().now() + 86400000l);
          srs.setHeader("Cache-Control", "public, max-age=86400");

apps/routerconsole/jsp/css.jsi

@@ -35 +35 @@
       response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
       response.setHeader("X-XSS-Protection", "1; mode=block");
+      response.setHeader("X-Content-Type-Options", "nosniff");
    }
 

apps/routerconsole/jsp/flags.jsp

@@ -32 +32 @@
         // cache for a day
         response.setDateHeader("Expires", net.i2p.I2PAppContext.getGlobalContext().clock().now() + 86400000l);
-        response.setHeader("Cache-Control", "public, max-age=86400");
+        response.setHeader("Cache-Control", "public, max-age=604800");
+        response.setHeader("X-Content-Type-Options", "nosniff");
     }
     long length = ffile.length();

apps/routerconsole/jsp/viewhistory.jsp

@@ -8 +8 @@
  */
 response.setContentType("text/plain");
+response.setHeader("X-Content-Type-Options", "nosniff");
 String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
 try {

apps/routerconsole/jsp/viewstat.jsp

@@ -36 +36 @@
       java.io.OutputStream cout = response.getOutputStream();
       String format = request.getParameter("format");
+      response.setHeader("X-Content-Type-Options", "nosniff");
       if ("xml".equals(format)) {
         if (!fakeBw) {

apps/routerconsole/jsp/viewtheme.jsp

@@ -22 +22 @@
   response.setContentType("image/svg+xml");
 }
+response.setHeader("X-Content-Type-Options", "nosniff");
 /*
  * User or plugin themes

apps/routerconsole/jsp/xhr1.jsp

@@ -9 +9 @@
        session.setAttribute("i2p.contextId", request.getParameter("i2p.contextId"));
    }
+   response.setHeader("X-Content-Type-Options", "nosniff");
 %>
 <jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />

apps/susidns/src/jsp/addressbook.jsp

@@ -31 +31 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>

apps/susidns/src/jsp/config.jsp

@@ -31 +31 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>

apps/susidns/src/jsp/details.jsp

@@ -28 +28 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>

apps/susidns/src/jsp/export.jsp

@@ -24 +24 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 %>
 <%@page pageEncoding="UTF-8"%>

apps/susidns/src/jsp/index.jsp

@@ -31 +31 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>

apps/susidns/src/jsp/subscriptions.jsp

@@ -31 +31 @@
     response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
     response.setHeader("X-XSS-Protection", "1; mode=block");
+    response.setHeader("X-Content-Type-Options", "nosniff");
 
 %>

apps/susimail/src/src/i2p/susi/webmail/WebMail.java

@@ -1594 +1594 @@
                 response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
                 response.setHeader("X-XSS-Protection", "1; mode=block");
+                response.setHeader("X-Content-Type-Options", "nosniff");
                 RequestWrapper request = new RequestWrapper( httpRequest );