-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
None
-
None
-
None
Hi,
Our security team is telling us that we have to add the following header to our Apache:
“X-Content-Options: nosniff”
After we added this header, certain image urls were no longer working. Specifically those images that were uploaded as jpg vs jpeg. That is because image/jpg is not a valid content type while image/jpeg is.
Looking at the following, the issue was identified, but doesn't seem to have been updated:
https://jira.magnolia-cms.com/browse/MGNLIMG-177
It seems this code is still outputting the content type based on properties from the jcr
final String contentType;
try
catch (RepositoryException e)
{ throw new IllegalStateException("Can't get content-type from " + binary); }imageResponse.setMediaType(MediaType.parse(contentType));
While the image does render from the servlet, this is causing for content type determination.
- is related to
-
MAGNOLIA-7344 <X-Content-Options: nosniff> Returning Incorrect Content Types
- Closed