[whatwg] First or last Content-Type header?
bil at corry.biz
Tue Jun 2 11:53:46 PDT 2009
Adam Barth wrote on 6/2/2009 11:47 AM:
> On Tue, Jun 2, 2009 at 9:25 AM, Bil Corry <bil at corry.biz> wrote:
>> It's less likely to occur legitimately, but more likely to occur under a header injection scenario.
> As I wrote before in this thread, if the attacker can inject headers,
> there are far more severe attacks than changing the type of an HTTP
That may be true, but changing the content-type is a very serious issue, as you yourself point out in the draft we're discussing:
When a user agent uses different
heuristics for media type detection than the server expects, security
problems can occur. For example, if a server believes that the
client will treat a contributed file as an image (and thus treat it
as benign), but a user agent believes the content to be HTML (and
thus privileged to execute any scripts contained therein), an
attacker might be able to steal the user's authentication credentials
and mount other cross-site scripting attacks.
Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct?
More information about the whatwg