From d5b4ce16dc77c702e5f8c79fa4f890ee9a48242a Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Fri, 13 May 2011 15:52:46 +0000
Subject: [PATCH] * (bug 15461) Make IE8 turn off content sniffing. Everbody
 else should ignore this

Adding X-Content-Type-Options: nosniff header in WebStart.php so that it's *always* set, even for alternate entry points and when $wgOut gets disabled or overridden.

Note that this of course doesn't apply to uploaded images and such loaded directly -- the usual caveats still apply.

Have not tested to confirm that this actually protects against sniffing errors -- please test on IE8 and IE9.
---
 includes/WebStart.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/includes/WebStart.php b/includes/WebStart.php
index fa92fc7213..ae81e8834b 100644
--- a/includes/WebStart.php
+++ b/includes/WebStart.php
@@ -56,6 +56,11 @@ if ( ini_get( 'register_globals' ) ) {
 	}
 }
 
+# bug 15461: Make IE8 turn off content sniffing. Everbody else should ignore this
+# We're adding it here so that it's *always* set, even for alternate entry
+# points and when $wgOut gets disabled or overridden.
+header( 'X-Content-Type-Options: nosniff' );
+
 $wgRequestTime = microtime(true);
 # getrusage() does not exist on the Microsoft Windows platforms, catching this
 if ( function_exists ( 'getrusage' ) ) {
-- 
2.20.1