Introduce send_nosniff_header() and use it to turn off content sniffing in supported browsers. Fixes #10671 props chrisscott and niallkennedy.

git-svn-id: http://svn.automattic.com/wordpress/trunk@13409 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-ajax.php

@@ -21,6 +21,7 @@ if ( ! isset( $_REQUEST['action'] ) )
 
 require_once('includes/admin.php');
 @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
+send_nosniff_header();
 
 do_action('admin_init');
 

wp-admin/includes/misc.php

@@ -649,4 +649,17 @@ function win_is_writable($path) {
         unlink($path);
     return true;
 }
+
+/**
+ * Send a HTTP header to disable content type sniffing in browsers which support it.
+ * 
+ * @link http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+ * @link http://src.chromium.org/viewvc/chrome?view=rev&revision=6985
+ * 
+ * @since 3.0.0.
+ * @return none
+ */
+function send_nosniff_header() {
+	@header( 'X-Content-Type-Options: nosniff' ); 
+}
 ?>

wp-admin/index-extra.php

@@ -13,6 +13,7 @@ require_once( 'admin.php' );
 require( 'includes/dashboard.php' );
 
 @header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
+send_nosniff_header();
 
 switch ( $_GET['jax'] ) {