firefox-ios icon indicating copy to clipboard operation
firefox-ios copied to clipboard
verified publisher icon mozilla-mobile

should not guess the MIME type if it has the X-Content-Type-Options: nosniff header

Open rls1004 opened this issue 1 year ago • 1 comments

Steps to reproduce

  1. Create an test.html file.
<script>alert("Hi");</script>
  1. Create an .htaccess file.
<Files test.html>
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Type ""
</Files>
  1. Run the web server and visit test.html

Expected behavior

"" is displayed as text or a file is downloaded so that the user can decide to use it.

Actual behavior

alert("Hi") is executed.

Device & build information

  • Device: iPhone 15 Pro, iOS 17.5.1
  • Build version: 127.1 (42781)
  • First seen version: I didn't try it in previous versions.

Notes

Attachments:

  • test on iOS firefox_mac

  • test on Mac firefox_mac

┆Issue is synchronized with this Jira Task

rls1004 avatar Jun 22 '24 05:06 rls1004

Hi @rls1004 can you give as an example on where are you facing this issue? or what is the use case? Thanks!

afurlan-firefox avatar Jun 27 '24 20:06 afurlan-firefox