* (bug 15461) Make IE8 turn off content sniffing. Everbody else should ignore this

Adding X-Content-Type-Options: nosniff header in WebStart.php so that it's *always* set, even for alternate entry points and when $wgOut gets disabled or overridden.

Note that this of course doesn't apply to uploaded images and such loaded directly -- the usual caveats still apply.

Have not tested to confirm that this actually protects against sniffing errors -- please test on IE8 and IE9.

diff --git a/includes/WebStart.php b/includes/WebStart.php
index fa92fc7..ae81e88 100644 (file)
--- a/includes/WebStart.php
+++ b/includes/WebStart.php
@@ -56,6 +56,11 @@ if ( ini_get( 'register_globals' ) ) {
        }
 }
 
+# bug 15461: Make IE8 turn off content sniffing. Everbody else should ignore this
+# We're adding it here so that it's *always* set, even for alternate entry
+# points and when $wgOut gets disabled or overridden.
+header( 'X-Content-Type-Options: nosniff' );
+
 $wgRequestTime = microtime(true);
 # getrusage() does not exist on the Microsoft Windows platforms, catching this
 if ( function_exists ( 'getrusage' ) ) {