Consider returning "nosniff" for JSONP responses #38
Assignees
Comments
|
Good find. Yes, let's add the same type of header-setting logic as Express. Also, let's add some comments in the code that clearly indicate that a) the nosniff header, b) the JS comment, and c) the typeof check are all mitigations against Rosetta Flash. Comment should reference this ticket. |
onebytegone
added a commit
that referenced
this issue
Mar 21, 2019
onebytegone
added a commit
that referenced
this issue
Mar 21, 2019
onebytegone
added a commit
that referenced
this issue
Mar 22, 2019
onebytegone
added a commit
that referenced
this issue
Mar 22, 2019
Merged
onebytegone
added a commit
that referenced
this issue
Mar 22, 2019
onebytegone
added a commit
that referenced
this issue
Apr 1, 2019
onebytegone
added a commit
that referenced
this issue
Apr 1, 2019
|
Closed with #42. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of preventing Rosetta Flash, express sets the
X-Content-Type-Optionsheader tonosniff. lambda-express already has the/**/mitigation, however shouldnosniffalso be added?See also: https://helmetjs.github.io/docs/dont-sniff-mimetype/
The text was updated successfully, but these errors were encountered: