We just finished performing a security scan on our Vaadin 8 app, and the following vulernerbility was found:
Invalid content-type header
A resource was loaded that doesn’t match the response’s Content-Type HTTP header.
By serving sensitive content (especially JSON responses) with an incorrect Content-Type, an attacker may be able to bypass Chrome’s Site Isolation feature. Site Isolation is designed to protect users from Universal Cross Site Scripting (UXSS) and speculative execution attacks including Spectre and Meltdown.
Learn more about Chrome Site Isolation.
Learn more about Spectre and Meltdown.
To fix this vulnerability, please ensure that:
JSON responses are served with the Content-Type header “application/json”.
Other sensitive responses are served with appropriate MIME types.
Serve content with the HTTP header “X-Content-Type-Options: nosniff”.
I am not sure if this is a major issue or not. Please advise.
The issue in question is not of any major concern. The browser features in question are part of a defense in depth scheme, which means that they might help reduce the impact in cases where other vulnerabilities would also be present.
Sending the conventional content type would indeed be good practice that we might implement at some point. The thing is just that it would be prioritized relative to other general enhancements and not as a critical security fix that we would have to release as soon as possible.