[whatwg] First or last Content-Type header?
bil at corry.biz
Tue Jun 2 09:25:54 PDT 2009
Adam Barth wrote on 6/2/2009 3:17 AM:
> Now, consider the reverse:
> Content-Type: image/gif
> Content-Type: text/html
> In this case, IE renders the image correctly, but Firefox and Chrome
> don't show the image. This is less likely to occur on the web because
> it doesn't work in Firefox (e.g., >20% of the market).
It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user, with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:
 Image from: http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
More information about the whatwg