Rule ID
SV-246915r879887_rule
Version
V1R2
CCIs
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a ".js" that was sent as the "jpg" mime type vs the JavaScript mime type. The browser would "correct" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser "sniffing" of content type, the Connection Server sends the "x-content-type-options: nosniff" header by default. This configuration must be validated and maintained over time.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "x-content-type-options" setting. If there is no "x-content-type-options" setting, this is NOT a finding. If "x-content-type-options" is set to "false", this is a finding.
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: x-content-type-options=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.