Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-43914

Remove Internet Explorer MIME Sniffing Security Hole Workaround Policy

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      The Internet Explorer MIME Sniffing Security Hole Workaround Policy in Configuring JIRA Options can be confusing - it is also not consistent. It will allow PNGs and block JPGs. It's also not entirely clear of the behaviour of it, for example in JRA-28965.

      Suggested Solution

      Remove the Internet Explorer MIME Sniffing Security Hole Workaround Policy functionality - IE7 has not been supported in JIRA for quite some time.

          Form Name

            [JRASERVER-43914] Remove Internet Explorer MIME Sniffing Security Hole Workaround Policy

            Oswaldo Hernandez (Inactive) added a comment -

            +1 dblack

            Oswaldo Hernandez (Inactive) added a comment - +1 dblack

            David Black added a comment - - edited

            This setting is still needed. However, the name of it no longer really reflects what it does. What the setting actually does is change the attachment security policy. The default level is a default (secure) attachment level which uses a blacklist of content-types which are sent as attachment downloads, the "insecure" level simply sends all attachments "inline" and the "secure" attachment level sends all attachments as downloads.

            Let's close this issue. dcurrie@atlassian.com please open a new issue about "re-naming" the setting and updating the ui accordingly.

            David Black added a comment - - edited This setting is still needed. However, the name of it no longer really reflects what it does. What the setting actually does is change the attachment security policy. The default level is a default (secure) attachment level which uses a blacklist of content-types which are sent as attachment downloads, the "insecure" level simply sends all attachments "inline" and the "secure" attachment level sends all attachments as downloads. Let's close this issue. dcurrie@atlassian.com please open a new issue about "re-naming" the setting and updating the ui accordingly.

            Oswaldo Hernandez (Inactive) added a comment -

            dblack afaik we still needed this setting nowadyas, can you please clarify?

            Oswaldo Hernandez (Inactive) added a comment - dblack afaik we still needed this setting nowadyas, can you please clarify?

              Unassigned Unassigned
              dcurrie@atlassian.com Dave C
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: