X-Content-Type-Options cant be dissabled

[ezelbanaan]

I'm currently using talisman to set CSP, but I need to have X-Content-Type-Options disabled/not set. In the current version it is always set to 'nosniff'.

[tunetheweb]

That isn't one of the configurable options so that functionality would need to be added, or you could override it using after_request.

@app.after_request
def add_header(response):
    # Force remove X-Content-Type-Options added by flask-talisman
    del response.headers['X-Content-Type-Options']
    return response

[ezelbanaan]

I've opened a pull request #75. In this I've added the option to disable the X-Content-Type-Options header from being set. However the Travis CI check is getting an import error and I don't know how to fix it, could you look at that?

[tunetheweb]

I'm not sure how actively this repo is being maintained at the moment unfortunately :-( I've a few of my open PRs waiting too.

@theacodes are you still maintaining this?

It's complaining about coverage - though error messages are weird. I know when I submitted changes to here in the past it does insist on 100% pytest coverage so add a quick test to talisman_test.py and that might fix the error.

Also wonder if you should add a similar option for X-XSS-Protection while you're at it since that's the other option that isn't configurable and some recommend unsetting it, and all modern browsers have removed the XSS filter so it's kind of wasted bytes to be honest.

[ezelbanaan]

As you've already seen I also added the option for X-XSS-Protection, I've already added 2 tests. However I'm still getting the travis-CI import error. (https://travis-ci.org/github/GoogleCloudPlatform/flask-talisman/jobs/771895719)