Add X-Content-Type-Options for all responses

Author: dvershinin

CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+## [0.0.10] - 2020-05-31
+### Changed
+* `X-Content-Type-Options` is now sent for all resources to accomodate Chromium's CORB 
+(see [webhint.io #1221](https://github.com/webhintio/hint/issues/1221)) 
+

README.md

@@ -11,7 +11,7 @@ http {
 }
 ```
 
-Running `curl -IL https://example.com/` will yield additional headers:
+Running `curl -IL https://example.com/` will yield the added security headers:
 
 <pre>
 HTTP/1.1 200 OK
@@ -22,31 +22,23 @@ Vary: Accept-Encoding
 Accept-Ranges: bytes
 Connection: keep-alive
 <b>X-Frame-Options: SAMEORIGIN
+X-Content-Type-Options: nosniff
 X-XSS-Protection: 1; mode=block
 Referrer-Policy: strict-origin-when-cross-origin
 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload</b>
 </pre>
 
-Running `curl -IL https://example.com/some.css` (or `some.js`) will yield *additional* security header:
-
-<pre>
-HTTP/1.1 200 OK
-...
-<b>X-Content-Type-Options: nosniff</b>
-</pre>
-
 In general, the module features sending security HTTP headers in a way that better conforms to the standards.
 For instance, `Strict-Transport-Security` header should *not* be sent for plain HTTP requests.
 The module follows this recommendation.
 
 ## Key Features
 
 *   Plug-n-Play: the default set of security headers can be enabled with `security_headers on;` in your NGINX configuration
-*   Sends `X-Content-Type-Options` only for relevant MIME types (CSS/JS), preserving unnecessary headers from being sent for HTML documents
-*   Similarly, sends HTML-only security headers for relevant types only, not sending for others, e.g. `X-Frame-Options` is useless for CSS
+*   Sends HTML-only security headers for relevant types only, not sending for others, e.g. `X-Frame-Options` is useless for CSS
 *   Plays well with conditional `GET` requests: the security headers are not included there unnecessarily
 *   Does not suffer the `add_header` directive's pitfalls
-*   Hides `X-Powered-By`, which often leaks PHP version information
+*   Hides `X-Powered-By` and other headers which often leak software version information
 *   Hides `Server` header altogether, not just the version information
 
 ## Configuration directives
@@ -62,7 +54,7 @@ Enables or disables applying security headers. The default set includes:
 * `X-Frame-Options: SAMEORIGIN`
 * `X-XSS-Protection: 1; mode=block`
 * `Referrer-Policy: strict-origin-when-cross-origin`
-* `X-Content-Type-Options: nosniff` (for CSS and Javascript)
+* `X-Content-Type-Options: nosniff`
 
 The values of these headers (or their inclusion) can be controlled with other `security_headers_*` directives below.
 
@@ -84,7 +76,7 @@ It's worth noting that some of those headers bear functional use, e.g. [`X-Page-
 > ... it is used to prevent infinite loops and unnecessary rewrites when PageSpeed 
 > fetches resources from an origin that also uses PageSpeed
 
-So it's best to specify `hide_server_tokens on;` in a front-facing NGINX insances, e.g.
+So it's best to specify `hide_server_tokens on;` in a front-facing NGINX instances, e.g.
 the one being accessed by actual browsers, and not the ones consumed by Varnish or other software.
 
 In most cases you will be just fine with `security_headers on;` and `hide_server_tokens on;`, without any adjustments.
@@ -122,23 +114,15 @@ Special `omit` value will disable sending the header by the module.
 Controls inclusion and value of [`Referrer-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) header. 
 Special `omit` value will disable sending the header by the module. 
 
-### `security_headers_nosniff_types`
-
-- **syntax**: `security_headers_nosniff_types <mime_type> [..]`
-- **default**: `text/css text/javascript application/javascript`
-- **context**: `http`, `server`, `location`
-
-Defines MIME types, for which `X-Content-Type-Options: nosniff` is sent.
-
 ## Install
 
-### CentOS/RHEL 6, 7, 8
+### CentOS/RHEL 6, 7, 8 or Amazon Linux 2
 
-It's easy to install the module in your stable nginx instance dynamically:
+It's easy to install the module in your stable NGINX instance dynamically:
 
 ```bash
 sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
-sudo yum install nginx-module-security-headers
+sudo yum -y install nginx-module-security-headers
 ```
 
 Then add it at the top of your `nginx.conf`:

src/ngx_http_security_headers_module.c

@@ -36,9 +36,6 @@ typedef struct {
     ngx_uint_t                 fo;
     ngx_uint_t                 rp;
 
-    ngx_hash_t                 nosniff_types;
-    ngx_array_t                *nosniff_types_keys;
-
     ngx_hash_t                 text_types;
     ngx_array_t                *text_types_keys;
 
@@ -95,13 +92,6 @@ static ngx_int_t ngx_http_security_headers_init(ngx_conf_t *cf);
 static ngx_int_t ngx_set_headers_out_by_search(ngx_http_request_t *r,
     ngx_str_t *key, ngx_str_t *value);
 
-ngx_str_t  ngx_http_security_headers_default_nosniff_types[] = {
-    ngx_string("text/css"),
-    ngx_string("text/javascript"),
-    ngx_string("application/javascript"),
-    ngx_null_string
-};
-
 ngx_str_t  ngx_http_security_headers_default_text_types[] = {
     ngx_string("text/html"),
     ngx_string("application/xhtml+xml"),
@@ -126,13 +116,6 @@ static ngx_command_t  ngx_http_security_headers_commands[] = {
       offsetof(ngx_http_security_headers_loc_conf_t, hide_server_tokens ),
       NULL },
 
-    { ngx_string("security_headers_nosniff_types"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
-      ngx_http_types_slot,
-      NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_security_headers_loc_conf_t, nosniff_types_keys),
-      &ngx_http_security_headers_default_nosniff_types[0] },
-
     { ngx_string("security_headers_xss"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_enum_slot,
@@ -249,9 +232,7 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)
     }
 
     /* add X-Content-Type-Options to output */
-    if (r->headers_out.status == NGX_HTTP_OK
-        && ngx_http_test_content_type(r, &slcf->nosniff_types) != NULL)
-    {
+    if (r->headers_out.status == NGX_HTTP_OK) {
         ngx_str_set(&key, "X-Content-Type-Options");
         ngx_str_set(&val, "nosniff");
 
@@ -275,7 +256,8 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)
     }
 
 #if (NGX_HTTP_SSL)
-    if (r->connection->ssl) {
+    if (r->connection->ssl)
+    {
         ngx_str_set(&key, "Strict-Transport-Security");
         ngx_str_set(&val, "max-age=63072000; includeSubDomains; preload");
         ngx_set_headers_out_by_search(r, &key, &val);
@@ -359,14 +341,6 @@ ngx_http_security_headers_merge_loc_conf(ngx_conf_t *cf, void *parent,
     ngx_conf_merge_value(conf->hide_server_tokens,
                          prev->hide_server_tokens, 0 );
 
-    if (ngx_http_merge_types(cf, &conf->nosniff_types_keys, &conf->nosniff_types,
-                             &prev->nosniff_types_keys, &prev->nosniff_types,
-                             ngx_http_security_headers_default_nosniff_types)
-        != NGX_OK)
-    {
-        return NGX_CONF_ERROR;
-    }
-
     if (ngx_http_merge_types(cf, &conf->text_types_keys, &conf->text_types,
                              &prev->text_types_keys, &prev->text_types,
                              ngx_http_security_headers_default_text_types)

t/headers.t

@@ -33,7 +33,7 @@ hello world
 hello world
 --- response_headers
 content-type: text/plain; charset=utf-8
-!x-content-type-options
+x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
 x-xss-protection: 1; mode=block
 
@@ -72,7 +72,7 @@ x-content-type-options: nosniff
 --- response_body
 hello world
 --- response_headers
-!x-content-type-options
+x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
 !server
 
@@ -95,7 +95,7 @@ x-frame-options: SAMEORIGIN
 --- response_body
 hello world
 --- response_headers
-!x-content-type-options
+x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
 !Server
 Referrer-Policy: strict-origin-when-cross-origin
@@ -114,7 +114,7 @@ Referrer-Policy: strict-origin-when-cross-origin
 --- response_body
 hello world
 --- response_headers
-!x-content-type-options
+x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
 x-xss-protection: 1; mode=block
 referrer-policy: unsafe-url
@@ -139,7 +139,7 @@ referrer-policy: unsafe-url
 --- response_body
 hello world
 --- response_headers
-!x-content-type-options
+x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
 x-xss-protection: 1; mode=block
 referrer-policy: origin