The value in https://github.com/spring-projects/spring-security/blob/613165b86c6f12da21675d410b3b22a9ae7a0b7b/web/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriter.java#L31 should be changed to X-Content-Type-Options
Comment From: jzheaux
Because this field is public, perhaps it would be better to add a new value and deprecate this one? If so, I think we can move the breaks-passivity label` to a new ticket that removes the deprecated value.
Comment From: joerg-richter-5234
If the following meets the results of your discussion, i'll gladly open a pull request for this issue
- Deprecate constant X_CONTENT_OPTIONS
- Introduce constant X_CONTENT_TYPE_OPTIONS
- Update referenced constant in CONTENT_TYPE_HEADERS from X_CONTENT_OPTIONS to X_CONTENT_TYPE_OPTIONS
public class XContentTypeOptionsServerHttpHeadersWriter implements ServerHttpHeadersWriter {
@Deprecated( since = "5.7", forRemoval = true)
public static final String X_CONTENT_OPTIONS = "X-Content-Options";
public static final String X_CONTENT_TYPE_OPTIONS = "X-Content-Type-Options";
public static final String NOSNIFF = "nosniff";
/**
* The delegate to write all the cache control related headers
*/
private static final ServerHttpHeadersWriter CONTENT_TYPE_HEADERS = StaticServerHttpHeadersWriter.builder()
.header(X_CONTENT_TYPE_OPTIONS, NOSNIFF).build();
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
return CONTENT_TYPE_HEADERS.writeHttpHeaders(exchange);
}
}
Comment From: jzheaux
Thanks for the offer, @joerg-richter-5234. The ticket is yours.
I think there are actually two things going on here. @marcusdacoregio is pointing out that the value is incorrect, and I am pointing out that the variable itself is not ideal.
So, instead, let's please just focus for now on correcting the value to X-Content-Type-Options in 5.7 and onward and leave the variable name as the same.
Please make this change on the 5.7.x branch, including a test to make sure the functionality is correctly verified.