Introduce send_nosniff_header() and use it to turn off content sniffing in supported browsers. Fixes #10671 props chrisscott and niallkennedy.

git-svn-id: http://svn.automattic.com/wordpress/trunk@13409 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-02-25 21:41:33 +00:00 · 2010-02-25 21:41:33 +00:00 · 2372671879
parent 7ab6035d59
commit 2372671879
3 changed files with 15 additions and 0 deletions
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@ -21,6 +21,7 @@ if ( ! isset( $_REQUEST['action'] ) )

 require_once('includes/admin.php');
@header('Content-Type: text/html; charset=' . get_option('blog_charset'));
+send_nosniff_header();

 do_action('admin_init');

--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@ -649,4 +649,17 @@ function win_is_writable($path) {
        unlink($path);
    return true;
 }
+
+/**
+ * Send a HTTP header to disable content type sniffing in browsers which support it.
+ * 
+ * @link http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+ * @link http://src.chromium.org/viewvc/chrome?view=rev&revision=6985
+ * 
+ * @since 3.0.0.
+ * @return none
+ */
+function send_nosniff_header() {
+	@header( 'X-Content-Type-Options: nosniff' ); 
+}
 ?>
--- a/wp-admin/index-extra.php
+++ b/wp-admin/index-extra.php
@ -13,6 +13,7 @@ require_once( 'admin.php' );
 require( 'includes/dashboard.php' );

@header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
+send_nosniff_header();

 switch ( $_GET['jax'] ) {