Set Content-Type nosniff for all downloads

app/controllers/application_controller.rb

@@ -153,6 +153,11 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def set_content_type_nosniff
+    # When sending a file, we want to ensure that browsers follow our Content-Type header
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+  end
+
   def switch_locale(&)
     session[:locale] = sanitize_locale(params[:custom_locale] || params[:locale] || session[:locale])
     locale = session[:locale] || http_accept_language.compatible_language_from(I18n.available_locales) || I18n.default_locale

app/controllers/code_ocean/files_controller.rb

@@ -5,6 +5,7 @@ module CodeOcean
     include CommonBehavior
     include FileParameters
 
+    before_action :set_content_type_nosniff
     # Overwrite the CSP header and some default actions for the :render_protected_upload action
     content_security_policy false, only: :render_protected_upload
     skip_before_action :deny_access_from_render_host, only: :render_protected_upload

app/controllers/live_streams_controller.rb

@@ -4,6 +4,7 @@ class LiveStreamsController < ApplicationController
   # Including ActionController::Live changes all actions in this controller!
   # Therefore, it is extracted into a separate controller
   include ActionController::Live
+  before_action :set_content_type_nosniff
 
   skip_before_action :deny_access_from_render_host, only: :download_submission_file
   skip_before_action :verify_authenticity_token, only: :download_submission_file

app/controllers/submissions_controller.rb

@@ -463,11 +463,6 @@ class SubmissionsController < ApplicationController
     @files = @submission.collect_files.select(&:visible)
   end
 
-  def set_content_type_nosniff
-    # When sending a file, we want to ensure that browsers follow our Content-Type header
-    response.headers['X-Content-Type-Options'] = 'nosniff'
-  end
-
   def set_submission
     @submission = Submission.find(params[:id])
     authorize!