From 8261b1b72e6cd421e532c8a2cd6b3c877bfba81b Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 24 Feb 2023 23:59:22 -0500
Subject: [PATCH] Set "X-Content-Type-Options: nosniff" header in
 images/.htaccess

MediaWiki already sets this header unconditionally on all requests,
but images are served directly by the webserver. We want to remove the
IEContentAnalyzer, which currently provides protection against
uploading problematic files, so instead we are going to recommend
setting this header to instruct browsers to not sniff.

Per pingback data, ~83% of reporting installs use Apache.

This was suggested by Taavi.

Bug: T309787
Change-Id: I8a0c50cc0a8bc037f4c9b0a114f87793446aed7f
---
 images/.htaccess | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/images/.htaccess b/images/.htaccess
index 0c8194886f4..e96e1139e28 100644
--- a/images/.htaccess
+++ b/images/.htaccess
@@ -1,3 +1,6 @@
+<IfModule headers_module>
+Header set X-Content-Type-Options nosniff
+</IfModule>
 <IfModule php7_module>
 php_flag engine off
 </IfModule>