Skip to content

Commit f3755e5

Browse files
sagzysagzy
authored
Updated nosniff header to apply to non-204 responses only (#1858)
ref https://linear.app/tryghost/issue/ONC-179 - some self-hosters reported seing a prompt to download "auth-frame" when visiting a post with comments enabled on iOS - recently, we've worked on an optimisation for comments UI to return a empty 204 for /ghost/auth-frame/ when no staff admin is authenticated (more context TryGhost/Ghost#19840) - setting X-Content-Type-Options to nosniff helps to prevent browsers from interpreting files as a different MIME type than what is specified in the Content-Type header - however, when returning an empty 204 response (No Content, therefore no Content-Type to check), iOS safari interpret this header as a file to download from the url - with this change, we add the nosniff header only to non-204 responses
1 parent 449accd commit f3755e5

File tree

3 files changed

+12
-2
lines changed

3 files changed

+12
-2
lines changed

extensions/nginx/templates/nginx-ssl.conf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
map $status $header_content_type_options {
2+
204 "";
3+
default "nosniff";
4+
}
5+
16
server {
27
listen 443 ssl http2;
38
listen [::]:443 ssl http2;
@@ -16,6 +21,7 @@ server {
1621
proxy_set_header Host $http_host;
1722
proxy_pass http://127.0.0.1:<%= port %>;
1823
<% if (location !== '/') { %>proxy_redirect off;<% } %>
24+
add_header X-Content-Type-Options $header_content_type_options;
1925
}
2026

2127
location ~ /.well-known {

extensions/nginx/templates/nginx.conf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
map $status $header_content_type_options {
2+
204 "";
3+
default "nosniff";
4+
}
5+
16
server {
27
listen 80;
38
listen [::]:80;
@@ -12,6 +17,7 @@ server {
1217
proxy_set_header Host $http_host;
1318
proxy_pass http://127.0.0.1:<%= port %>;
1419
<% if (location !== '/') { %>proxy_redirect off;<% } %>
20+
add_header X-Content-Type-Options $header_content_type_options;
1521
}
1622

1723
location ~ /.well-known {

extensions/nginx/templates/ssl-params.conf

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,4 @@ resolver 8.8.8.8 8.8.4.4 valid=300s;
1010
resolver_timeout 5s;
1111
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
1212
add_header X-Frame-Options SAMEORIGIN;
13-
add_header X-Content-Type-Options nosniff;
14-
1513
ssl_dhparam <%= dhparam %>;

0 commit comments

Comments
 (0)