Html 什么是“X-Content-Type-Options=nosniff”?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18337630/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is "X-Content-Type-Options=nosniff"?
提问by Koffeehaus
I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message:
我正在使用 OWASP ZAP 在我的本地主机上进行一些渗透测试,它不断报告此消息:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'
This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown
Anti-MIME-Sniffing 标头 X-Content-Type-Options 未设置为“nosniff”
此检查特定于 Internet Explorer 8 和 Google Chrome。如果 Content-Type 标头未知,请确保每个页面都设置一个 Content-Type 标头和 X-CONTENT-TYPE-OPTIONS
I have no idea what this means, and I couldn't find anything online. I have tried adding:
我不知道这是什么意思,我在网上找不到任何东西。我试过添加:
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
but the I still get the alert.
但我仍然收到警报。
What is the correct way of setting the parameter?
设置参数的正确方法是什么?
采纳答案by Remi Gacogne
It prevents the browser from doing MIME-type sniffing. Most browsers are now respecting this header, including Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50 and Opera >= 13. See :
它可以防止浏览器进行 MIME 类型的嗅探。大多数浏览器现在都尊重此标头,包括 Chrome/Chromium、Edge、IE >= 8.0、Firefox >= 50 和 Opera >= 13。请参阅:
Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.
发送值为 nosniff 的新 X-Content-Type-Options 响应标头将阻止 Internet Explorer 从 MIME 嗅探响应远离声明的内容类型。
EDIT:
编辑:
Oh and, that's an HTTP header, not a HTML meta tag option.
哦,这是一个 HTTP 标头,而不是 HTML 元标记选项。
See also : http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
另见:http: //msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
回答by Grokify
Description
描述
Setting a server's X-Content-Type-OptionsHTTP response header to nosniffinstructs browsers to disable content or MIME sniffingwhich is used to override response Content-Typeheaders to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some attacks listed below. Configuring your server to return the X-Content-Type-OptionsHTTP response header set to nosniffwill instruct browsers that support MIME sniffing to use the server-provided Content-Typeand not interpret the content as a different content type.
将服务器的X-Content-Type-OptionsHTTP 响应标头设置为nosniff指示浏览器禁用内容或 MIME 嗅探,后者用于覆盖响应Content-Type标头以使用隐式内容类型猜测和处理数据。虽然这在某些情况下可能很方便,但它也可能导致下面列出的一些攻击。将服务器配置为返回X-Content-Type-Options设置为的HTTP 响应标头nosniff将指示支持 MIME 嗅探的浏览器使用服务器提供Content-Type的内容,而不是将内容解释为不同的内容类型。
Browser Support
浏览器支持
The X-Content-Type-OptionsHTTP response header is supported in Chrome, Firefox and Edge as well as other browsers. The latest browser support is available on the Mozilla Developer Network (MDN) Browser Compatibility Table for X-Content-Type-Options:
所述X-Content-Type-OptionsHTTP响应报头在浏览器,Firefox和边缘以及其他浏览器支持。Mozilla 开发人员网络 (MDN) 浏览器兼容性表中提供了最新的浏览器支持,用于 X-Content-Type-Options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Attacks Countered
攻击反击
MIME Confusion Attackenables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types, e.g. implicit
application/javascriptvs. explicittext/plain. This can result in a "drive-by download" attackwhich is a common attack vector for phishing. Sites that host user generated content should use this header to protect their users. This is mentioned by VeraCodeand OWASPwhich says the following:This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Unauthorized Hotlinkingcan also be enabled by
Content-Typesniffing. By hotlinking to sites with resources for one purpose, e.g. viewing, apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service, e.g. GitHubdisplays JavaScript code for viewing, but not for execution:Some pesky non-human users (namely computers) have taken to "hotlinking" assets via the raw view feature -- using the raw URL as the
srcfor a<script>or<img>tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we've been forced to block popular content served this way because it put excessive strain on our servers.
MIME Confusion Attack允许用户上传恶意代码,然后由浏览器执行,浏览器将使用替代内容类型(例如隐式
application/javascript与显式)解释文件,从而通过用户生成的内容站点进行攻击text/plain。这可能会导致“路过式下载”攻击,这是网络钓鱼的常见攻击媒介。托管用户生成内容的站点应使用此标头来保护其用户。VeraCode和OWASP提到了这一点,其中说明如下:这减少了偷渡式下载攻击和为用户上传的内容提供服务的站点的风险,这些内容通过巧妙的命名,可以被 MSIE 视为可执行文件或动态 HTML 文件。
也可以通过
Content-Type嗅探启用未经授权的盗链。通过为了一个目的(例如查看)盗链到具有资源的站点,应用程序可以依靠内容类型嗅探并在站点上产生大量流量用于可能违反其服务条款的其他目的,例如GitHub显示 JavaScript 代码以供查看,但不是为了执行:一些讨厌的非人类用户(即计算机)已经通过原始视图功能“盗链”资产——使用原始 URL 作为
srcfor a<script>或<img>标签。问题是这些不是静态资产。原始文件视图与 Rails 应用程序中的任何其他视图一样,必须在返回给用户之前呈现。这很快就会对性能造成很大的影响。过去,我们被迫阻止以这种方式提供的流行内容,因为这会给我们的服务器带来过大的压力。
回答by Won Jun Bae
# prevent mime based attacks
Header set X-Content-Type-Options "nosniff"
This header prevents "mime" based attacks. This header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type as the header instructs the browser not to override the response content type. With the nosniff option, if the server says the content is text/html, the browser will render it as text/html.
此标头可防止基于“mime”的攻击。此标头可防止 Internet Explorer 从 MIME 嗅探响应远离声明的内容类型,因为标头指示浏览器不要覆盖响应内容类型。使用 nosniff 选项,如果服务器说内容是 text/html,浏览器会将其呈现为 text/html。
回答by ComeIn
For Microsoft IIS servers, you can enable this header via your web.configfile:
对于 Microsoft IIS 服务器,您可以通过web.config文件启用此标头:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
And you are done.
你已经完成了。
回答by Sahil Aggarwal
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
X-Content-Type-Options 响应 HTTP 标头是服务器使用的标记,用于指示不应更改和遵循 Content-Type 标头中通告的 MIME 类型。这允许选择退出 MIME 类型嗅探,或者换句话说,这是一种表示网站管理员知道他们在做什么的方式。
Syntax :
句法 :
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Directives :
指令:
nosniffBlocks a request if the requested type is 1. "style" and the MIME type is not "text/css", or 2. "script" and the MIME type is not a JavaScript MIME type.
nosniff如果请求的类型为 1.“style”且 MIME 类型不是“text/css”,或 2.“script”且 MIME 类型不是 JavaScript MIME 类型,则阻止请求。
Note: nosniff only applies to "script" and "style" types. Also applying nosniff to images turned out to be incompatible with existing web sites.
注意:nosniff 仅适用于“脚本”和“样式”类型。同样对图像应用 nosniff 结果证明与现有网站不兼容。
Specification :
规格 :
https://fetch.spec.whatwg.org/#x-content-type-options-header
https://fetch.spec.whatwg.org/#x-content-type-options-header
