Opt-out of content snuffing for admin ajax

[niallkennedy]

Browsers such as Internet Explorer include a MIME-sniffing feature that scans the beginning of a downloaded resource to determine the correct MIME render mode regardless of the Content-Type header. ​Internet Explorer 8 and ​Chromium allow page authors to opt-out of the sniff, asserting they don't need content to pass through such a feature.

Adding a HTTP Header of "X-Content-Type-Options: nosniff" eliminates the sniffing process, speeding up content rendering.

Opting-out of browser MIME sniff is especially beneficial on small Ajax payloads. Starting with admin-ajax.php and index-extra.php from wp-admin for that reason.

[niallkennedy]

Admin ajax processor with sniff opt-out HTTP header.

[niallkennedy]

Extra dashboard content ajax handler with sniff opt-out HTTP header.

[chrisscott]

Combined these into one patch against r13299 in attachment:ticket:10671:10671.diff​

Basic testing:

$ curl -I http://trunk.localhost.localdomain/wp-admin/admin-ajax.php?action=foo
HTTP/1.1 200 OK
Date: Mon, 22 Feb 2010 19:06:29 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 PHP/5.3.0
X-Powered-By: PHP/5.3.0
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8

$ curl -I -b [cookie file] http://trunk.localhost.localdomain/wp-admin/index-extra.php
HTTP/1.1 200 OK
Date: Mon, 22 Feb 2010 19:15:10 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 PHP/5.3.0
X-Powered-By: PHP/5.3.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 22 Feb 2010 19:15:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8

[nacin]

Looks good.

[westi]

(In [13409]) Introduce send_nosniff_header() and use it to turn off content sniffing in supported browsers. Fixes #10671 props chrisscott and niallkennedy.

[westi]

I changed it around a little to introduce a function to send the header so we only have the header definition in one place.