[whatwg] First or last Content-Type header?

Den.Molib den.molib at gmail.com
Tue Jun 2 14:19:47 PDT 2009

Bil Corry wrote:
> It's less likely to occur legitimately, but more likely to occur under a header injection scenario.  For example, here's a page that simulates serving an image from an untrusted user[1], with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:
> 	http://www.corry.biz:40100/
> In Firefox 3, the page renders as HTML and delivers its hidden JavaScript payload, but in Internet Explorer 8, the page renders as a BMP image with no payload being delivered.  It seems to me that IE has the correct behavior, or at least the more desirable behavior in this case.

1. The server or the script language you used to inject the payload may
be replacing the header when you add the second header.
2. Browsers in widespread use take into account the last header.

Thus, presending a header is not a method to protect the app.

> Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing.  Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct?
> - Bil
How do you send as plain text html content (eg. samples of malicious
javascript) if using just heuristics?

Or simply send a html-howto in plain text.

More information about the whatwg mailing list