Changeset 248deae


Ignore:
Timestamp:
Feb 25, 2016 2:56:06 PM (4 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
90a915b
Parents:
a79b25d
Message:

Console: Add X-Content-Type-Options header everywhere (ticket #1763)

Location:
apps
Files:
22 edited

Legend:

Unmodified
Added
Removed
  • apps/i2psnark/java/src/org/klomp/snark/web/BasicServlet.java

    ra79b25d r248deae  
    379379        if (content.getContentType()!=null && response.getContentType()==null)
    380380            response.setContentType(content.getContentType());
    381        
     381        response.setHeader("X-Content-Type-Options", "nosniff");
    382382        long lml = content.getLastModified();
    383383        if (lml > 0)
     
    395395        if (ct>=0)
    396396            response.setHeader("Cache-Control", "public, max-age=" + ct);
    397 
    398397    }
    399398
  • apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

    ra79b25d r248deae  
    380380        resp.setHeader("X-Frame-Options", "SAMEORIGIN");
    381381        resp.setHeader("X-XSS-Protection", "1; mode=block");
     382        resp.setHeader("X-Content-Type-Options", "nosniff");
    382383    }
    383384
  • apps/i2ptunnel/jsp/edit.jsp

    ra79b25d r248deae  
    66    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
    77    response.setHeader("X-XSS-Protection", "1; mode=block");
     8    response.setHeader("X-Content-Type-Options", "nosniff");
    89
    910%><%@page pageEncoding="UTF-8"
  • apps/i2ptunnel/jsp/index.jsp

    ra79b25d r248deae  
    99    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    1010    response.setHeader("X-XSS-Protection", "1; mode=block");
     11    response.setHeader("X-Content-Type-Options", "nosniff");
    1112
    1213%><%@page pageEncoding="UTF-8"
  • apps/i2ptunnel/jsp/wizard.jsp

    ra79b25d r248deae  
    99    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    1010    response.setHeader("X-XSS-Protection", "1; mode=block");
     11    response.setHeader("X-Content-Type-Options", "nosniff");
    1112
    1213%><%@page pageEncoding="UTF-8"
  • apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/IdenticonServlet.java

    ra79b25d r248deae  
    167167                        // return image bytes to requester
    168168                        response.setContentType(IDENTICON_IMAGE_MIMETYPE);
     169                        response.setHeader("X-Content-Type-Options", "nosniff");
    169170                        response.setContentLength(imageBytes.length);
    170171                        response.getOutputStream().write(imageBytes);
  • apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/QRServlet.java

    ra79b25d r248deae  
    192192                        // return image bytes to requester
    193193                        response.setContentType(IDENTICON_IMAGE_MIMETYPE);
     194                        response.setHeader("X-Content-Type-Options", "nosniff");
    194195                        response.setContentLength(imageBytes.length);
    195196                        response.getOutputStream().write(imageBytes);
  • apps/imagegen/imagegen/webapp/src/main/java/net/i2p/imagegen/RandomArtServlet.java

    ra79b25d r248deae  
    6363                                        response.setCharacterEncoding("UTF-8");
    6464                                }
     65                                response.setHeader("X-Content-Type-Options", "nosniff");
    6566                                buf.append(RandomArt.gnutls_key_fingerprint_randomart(h.getData(), "SHA", 256, "", true, html));
    6667                                if (html)
  • apps/routerconsole/java/src/net/i2p/router/web/CodedIconRendererServlet.java

    ra79b25d r248deae  
    4242         
    4343         srs.setContentType("image/png");
     44         srs.setHeader("X-Content-Type-Options", "nosniff");
    4445         srs.setDateHeader("Expires", I2PAppContext.getGlobalContext().clock().now() + 86400000l);
    4546         srs.setHeader("Cache-Control", "public, max-age=86400");
  • apps/routerconsole/jsp/css.jsi

    ra79b25d r248deae  
    3535      response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
    3636      response.setHeader("X-XSS-Protection", "1; mode=block");
     37      response.setHeader("X-Content-Type-Options", "nosniff");
    3738   }
    3839
  • apps/routerconsole/jsp/flags.jsp

    ra79b25d r248deae  
    3232        // cache for a day
    3333        response.setDateHeader("Expires", net.i2p.I2PAppContext.getGlobalContext().clock().now() + 86400000l);
    34         response.setHeader("Cache-Control", "public, max-age=86400");
     34        response.setHeader("Cache-Control", "public, max-age=604800");
     35        response.setHeader("X-Content-Type-Options", "nosniff");
    3536    }
    3637    long length = ffile.length();
  • apps/routerconsole/jsp/viewhistory.jsp

    ra79b25d r248deae  
    88 */
    99response.setContentType("text/plain");
     10response.setHeader("X-Content-Type-Options", "nosniff");
    1011String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
    1112try {
  • apps/routerconsole/jsp/viewstat.jsp

    ra79b25d r248deae  
    3636      java.io.OutputStream cout = response.getOutputStream();
    3737      String format = request.getParameter("format");
     38      response.setHeader("X-Content-Type-Options", "nosniff");
    3839      if ("xml".equals(format)) {
    3940        if (!fakeBw) {
  • apps/routerconsole/jsp/viewtheme.jsp

    ra79b25d r248deae  
    2222  response.setContentType("image/svg+xml");
    2323}
     24response.setHeader("X-Content-Type-Options", "nosniff");
    2425/*
    2526 * User or plugin themes
  • apps/routerconsole/jsp/xhr1.jsp

    ra79b25d r248deae  
    99       session.setAttribute("i2p.contextId", request.getParameter("i2p.contextId"));
    1010   }
     11   response.setHeader("X-Content-Type-Options", "nosniff");
    1112%>
    1213<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
  • apps/susidns/src/jsp/addressbook.jsp

    ra79b25d r248deae  
    3131    response.setHeader("Content-Security-Policy", "default-src 'self'");
    3232    response.setHeader("X-XSS-Protection", "1; mode=block");
     33    response.setHeader("X-Content-Type-Options", "nosniff");
    3334
    3435%>
  • apps/susidns/src/jsp/config.jsp

    ra79b25d r248deae  
    3131    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    3232    response.setHeader("X-XSS-Protection", "1; mode=block");
     33    response.setHeader("X-Content-Type-Options", "nosniff");
    3334
    3435%>
  • apps/susidns/src/jsp/details.jsp

    ra79b25d r248deae  
    2828    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    2929    response.setHeader("X-XSS-Protection", "1; mode=block");
     30    response.setHeader("X-Content-Type-Options", "nosniff");
    3031
    3132%>
  • apps/susidns/src/jsp/export.jsp

    ra79b25d r248deae  
    2424    if (request.getCharacterEncoding() == null)
    2525        request.setCharacterEncoding("UTF-8");
     26    response.setHeader("X-Content-Type-Options", "nosniff");
    2627%>
    2728<%@page pageEncoding="UTF-8"%>
  • apps/susidns/src/jsp/index.jsp

    ra79b25d r248deae  
    3131    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    3232    response.setHeader("X-XSS-Protection", "1; mode=block");
     33    response.setHeader("X-Content-Type-Options", "nosniff");
    3334
    3435%>
  • apps/susidns/src/jsp/subscriptions.jsp

    ra79b25d r248deae  
    3131    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
    3232    response.setHeader("X-XSS-Protection", "1; mode=block");
     33    response.setHeader("X-Content-Type-Options", "nosniff");
    3334
    3435%>
  • apps/susimail/src/src/i2p/susi/webmail/WebMail.java

    ra79b25d r248deae  
    15941594                response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
    15951595                response.setHeader("X-XSS-Protection", "1; mode=block");
     1596                response.setHeader("X-Content-Type-Options", "nosniff");
    15961597                RequestWrapper request = new RequestWrapper( httpRequest );
    15971598               
Note: See TracChangeset for help on using the changeset viewer.