vaadin
Consider adding nosniff header to sensitive responses
In addition to the no-store header for potentially sensitive responses that was added in #10306 and #10628, there's also a new X-Content-Type-Options: nosniff header that is used by newly introduced cross-site reading functionality: https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
Hello there!
We are sorry that this issue hasn't progressed lately. We are prioritizing issues by severity and the number of customers we expect are experiencing this and haven't gotten around to fix this issue yet.
There are a couple of things you could help to get things rolling on this issue (this is an automated message, so expect that some of these are already in use):
- Check if the issue is still valid for the latest version. There are dozens of duplicates in our issue tracker, so it is possible that the issue is already tackled. If it appears to be fixed, close the issue, otherwise report to the issue that it is still valid.
- Provide more details how to reproduce the issue.
- Explain why it is important to get this issue fixed and politely draw others attention to it e.g. via the forum or social media.
- Add a reduced test case about the issue, so it is easier for somebody to start working on a solution.
- Try fixing the issue yourself and create a pull request that contains the test case and/or a fix for it. Handling the pull requests is the top priority for the core team.
- If the issue is clearly a bug, use the Warranty in your Vaadin subscription to raise its priority.
Thanks again for your contributions! Even though we haven't been able to get this issue fixed, we hope you to report your findings and enhancement ideas in the future too!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
See also: https://stackoverflow.com/questions/62676910/click-jacking-and-missing-http-security-header-vaadin/62677405#62677405
