Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#25735] - [4.0] Cannot disable the X-Content-Type-Options in the System - HTTP Headers plugin

J4 Issue ?
avatar sandewt
sandewt
29 Jul 2019

Steps to reproduce the issue

See the System - HTTP Headers plugin.

It is not possible to disable the X-Content-Type-Options functionality on an Apache server, without changing the .htaccess file too.
This is somewhat confusing.

System information (as much as possible)

PHP Version 7.3.7
Web Server Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 4.0.0-alpha11-dev Development [ Amani ] 29-June-2019 11:27 GMT

Additional comments

Because the htaccess file contains namely the following instruction:

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

screen shot 2019-07-29 at 08 11 09

avatar sandewt sandewt - open - 29 Jul 2019
avatar joomla-cms-bot joomla-cms-bot - change - 29 Jul 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 29 Jul 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Jul 2019
Labels Added: J4 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 29 Jul 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Jul 2019
Title
Cannot disable the X-Content-Type-Options in the System - HTTP Headers plugin
[4.0] Cannot disable the X-Content-Type-Options in the System - HTTP Headers plugin
avatar franz-wohlkoenig franz-wohlkoenig - edited - 29 Jul 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 29 Jul 2019
Status New Discussion
avatar zero-24
zero-24 - comment - 29 Jul 2019

It is not possible to disable the X-Content-Type-Options functionality on an Apache server, without changing the .htaccess file too.
This is somewhat confusing.

Agree as you mention this is the line in the htaccess. This was set by the JSST in response to this issue: https://developer.joomla.org/security-centre/766-20190202-core-browserside-mime-type-sniffing-causes-xss-attack-vectors.html

As the option in the plugin was there before it might make sense to remove that option from the plugin.

avatar sandewt
sandewt - comment - 29 Jul 2019

Agree as you mention

@zero-24, Yes.

In addition, the web.config.txt file has the same X-Content-Type-Options.

See line 29 -

<httpProtocol>
    <customHeaders>
        <add name="X-Content-Type-Options" value="nosniff" />
      </customHeaders>
 </httpProtocol>
avatar zero-24
zero-24 - comment - 29 Jul 2019

Yes this is expected, in the coming days I'm preparing an PR to remove that option in the plugin. It is already on my list. :)

avatar sandewt
sandewt - comment - 29 Jul 2019

@zero-24,

This was set by the JSST in response...

What in case if you do NOT use the .htaccess or web.config file (the X-Content-Type-Options functionality is then not set, as far as I can oversee) and you remove that option?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25735.
avatar zero-24
zero-24 - comment - 31 Jul 2019

What in case if you do NOT use the .htaccess or web.config file (the X-Content-Type-Options functionality is then not set, as far as I can oversee) and you remove that option?

What would be your suggestion to fix this? We could force this setting from the plugin but what would happen when they disable the plugin? Every Backed gets a notice and new installs have this header in the default htaccess. Any new installation of 4.0 with htaccess support enabled will have that header set.

avatar zero-24
zero-24 - comment - 31 Jul 2019

Please find here: #25753 my suggestion to remove that header config from the plugin.

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 31 Jul 2019

Closed as having Pull Request #25753

avatar franz-wohlkoenig franz-wohlkoenig - change - 31 Jul 2019
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2019-07-31 18:06:37
Closed_By franz-wohlkoenig
avatar franz-wohlkoenig franz-wohlkoenig - close - 31 Jul 2019
avatar sandewt
sandewt - comment - 1 Aug 2019

What would be your suggestion to fix this? We could force this setting from the plugin ....

Thanks, very clear explanation.

[EDIT] But why not center all the header functionality in the plugin? It must still be possible to remove the code from the htaccess / web.config? Unless the safety is reduced!

Add a Comment

Login with GitHub to post a comment