[whatwg] First or last Content-Type header?
Bil Corry
bil at corry.biz
Tue Jun 2 09:25:54 PDT 2009
Adam Barth wrote on 6/2/2009 3:17 AM:
> Now, consider the reverse:
>
> Content-Type: image/gif
> Content-Type: text/html
>
> In this case, IE renders the image correctly, but Firefox and Chrome
> don't show the image. This is less likely to occur on the web because
> it doesn't work in Firefox (e.g., >20% of the market).
It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:
http://www.corry.biz:40100/
In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered. It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case.
- Bil
[1] Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
More information about the whatwg
mailing list