From 42c9b01114b00dbb19efee72e0aa99c60c6a1ce5 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 29 Nov 2014 16:50:21 +0100
Subject: [PATCH 2/4] Improve comment for 'nosniff' header

- Reworded the part about IE8 second-guessing content type
- Added a note about Flash, as per Mathias Karlsson's recommendation in
  issue #17874
---
 file_download.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/file_download.php b/file_download.php
index 6d60817..803b083 100644
--- a/file_download.php
+++ b/file_download.php
@@ -187,8 +187,10 @@
 	header( 'Content-Type: ' . $t_content_type );
 	header( 'Content-Length: ' . $v_filesize );
 
-	# For Internet Explorer 8 as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-	# Don't let IE second guess our content-type!
+	# Don't let Internet Explorer second-guess our content-type [1]
+	# Also disable Flash content-type sniffing [2]
+	# [1] http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+	# [2] http://50.56.33.56/blog/?p=242,
 	header( 'X-Content-Type-Options: nosniff' );
 
 	# dump file content to the connection.
-- 
1.9.1