Cdnjs: Should we add X-Content-Type-Options header?

Created on 13 Nov 2019  路  3Comments  路  Source: cdnjs/cdnjs

The X-Content-Type-Options: nosniff header allows a server or CDN to instruct clients not to try to guess at the Content-Type of a file. This is valuable as a file could have the .js file extension, but look like html which would cause the browser to serve it as a site and grant it access to cookies and the like.

We would very much like to add this header, but what we don't want to do is break any existing libraries or sites which happen to be relying on this behavior. We would love to get the communities thought's on how safe adding it will be.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Server - configuration
Source
picture zackbloom
👍7

Most helpful comment

X-Content-Type-Options: nosniff was added to all files.

picture xtuc on 2 Dec 2020
🚀1 🎉1 👍1

All 3 comments

I like this, I think it is save to add since jsDelivr and unpkg have it already set 馃憤

Regarding to the header config, is it possible to extend the caching for CDNJS?
I think both the "origin" request header and the query string can be ignored, so that would require a custom cache key.

From:
${header:origin}::${scheme}://${host_header}${uri}
To:
${scheme}://${host_header}${uri_iqs}

olafcm picture olafcm on 15 Nov 2019

Dropping by to show some support! 馃槑

ScottHelme picture ScottHelme on 19 Nov 2020
👍1

X-Content-Type-Options: nosniff was added to all files.

xtuc picture xtuc on 2 Dec 2020
🚀1 🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ogewan picture ogewan  路  6Comments
drees picture drees  路  6Comments
lucasRolff picture lucasRolff  路  4Comments
olafcm picture olafcm  路  5Comments
binki picture binki  路  5Comments