[FIXED SECURITY-177]

Add nosniff header liberally to every request we serve.

[FIXED SECURITY-177]
Add nosniff header liberally to every request we serve.
1699e2c1 · Kohsuke Kawaguchi · 25411a0b · 1699e2c1
隐藏空白更改
内联并排

Showing with 5 addition and 1 deletion

core/src/main/java/hudson/security/HudsonFilter.java core/src/main/java/hudson/security/HudsonFilter.java +5 -1

未找到文件。
--- a/core/src/main/java/hudson/security/HudsonFilter.java
+++ b/core/src/main/java/hudson/security/HudsonFilter.java
@@ -36,6 +36,7 @@ import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;

 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.ui.rememberme.RememberMeServices;
@@ -153,7 +154,10 @@ public class HudsonFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        LOGGER.entering(HudsonFilter.class.getName(), "doFilter");
-        
+
+        // this is not the best place to do it, but doing it here makes the patch smaller.
+        ((HttpServletResponse)response).setHeader("X-Content-Type-Options", "nosniff");
+
        // to deal with concurrency, we need to capture the object.
        Filter f = filter;