Improve comment for 'nosniff' header

- Reworded the part about IE8 second-guessing content type
- Added a note about Flash, as per Mathias Karlsson's recommendation in
  issue #17874

core/http_api.php

@@ -132,8 +132,8 @@ function http_caching_headers( $p_allow_caching = false ) {
 function http_content_headers() {
 	if( !headers_sent() ) {
 		header( 'Content-Type: text/html; charset=UTF-8' );
-		# Disallow Internet Explorer from attempting to second guess the Content-Type
-		# header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+		# Don't let Internet Explorer second-guess our content-type, as per
+		# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 		header( 'X-Content-Type-Options: nosniff' );
 	}
 }

css/common_config.php

@@ -36,8 +36,8 @@
 header( 'Content-Type: text/css; charset=UTF-8' );
 
 /**
- * Disallow Internet Explorer from attempting to second guess the Content-Type
- * header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+ * Don't let Internet Explorer second-guess our content-type, as per
+ * http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
  */
 header( 'X-Content-Type-Options: nosniff' );
 

css/status_config.php

@@ -34,8 +34,8 @@
 header( 'Content-Type: text/css; charset=UTF-8' );
 
 /**
- * Disallow Internet Explorer from attempting to second guess the Content-Type
- * header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+ * Don't let Internet Explorer second-guess our content-type, as per
+ * http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
  */
 header( 'X-Content-Type-Options: nosniff' );
 

file_download.php

@@ -192,8 +192,10 @@
 header( 'Content-Type: ' . $t_content_type );
 header( 'Content-Length: ' . $v_filesize );
 
-# For Internet Explorer 8 as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-# Don't let IE second guess our content-type!
+# Don't let Internet Explorer second-guess our content-type [1]
+# Also disable Flash content-type sniffing [2]
+# [1] http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+# [2] http://50.56.33.56/blog/?p=242
 header( 'X-Content-Type-Options: nosniff' );
 
 # dump file content to the connection.

javascript_config.php

@@ -41,8 +41,8 @@ function print_config_value( $p_config_key ) {
 header( 'Content-Type: application/javascript; charset=UTF-8' );
 
 
-# Disallow Internet Explorer from attempting to second guess the Content-Type
-# header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+# Don't let Internet Explorer second-guess our content-type, as per
+# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 header( 'X-Content-Type-Options: nosniff' );
 
 

javascript_translations.php

@@ -42,8 +42,8 @@ function print_translation( $p_lang_key ) {
 # application/javasscript is the correct MIME type.
 header( 'Content-Type: application/javascript; charset=UTF-8' );
 
-# Disallow Internet Explorer from attempting to second guess the Content-Type
-# header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+# Don't let Internet Explorer second-guess our content-type, as per
+# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 header( 'X-Content-Type-Options: nosniff' );
 
 echo "var translations = new Array();\n";