Changeset 13409

Timestamp:

02/25/2010 09:41:33 PM (13 years ago)

Author:

westi

Message:

Introduce send_nosniff_header() and use it to turn off content sniffing in supported browsers. Fixes #10671 props chrisscott and niallkennedy.

Location:

trunk/wp-admin

Files:

• admin-ajax.php (modified) (1 diff)
• includes/misc.php (modified) (1 diff)
• index-extra.php (modified) (1 diff)

trunk/wp-admin/admin-ajax.php

@@ -22 +22 @@
 require_once('includes/admin.php');
 @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
+send_nosniff_header();
 
 do_action('admin_init');

trunk/wp-admin/includes/misc.php

@@ -650 +650 @@
     return true;
 }
+
+/**
+ * Send a HTTP header to disable content type sniffing in browsers which support it.
+ * 
+ * @link http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+ * @link http://src.chromium.org/viewvc/chrome?view=rev&revision=6985
+ * 
+ * @since 3.0.0.
+ * @return none
+ */
+function send_nosniff_header() {
+    @header( 'X-Content-Type-Options: nosniff' ); 
+}
 ?>

trunk/wp-admin/index-extra.php

@@ -14 +14 @@
 
 @header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
+send_nosniff_header();
 
 switch ( $_GET['jax'] ) {