[whatwg] First or last Content-Type header?
bil at corry.biz
Tue Jun 2 16:24:20 PDT 2009
Den.Molib wrote on 6/2/2009 4:19 PM:
> Bil Corry wrote:
>> It's less likely to occur legitimately, but more likely to occur under a header injection scenario. For example, here's a page that simulates serving an image from an untrusted user, with the correct content-type of image/x-ms-bmp, then a second (injected) content-type of text/html:
> 1. The server or the script language you used to inject the payload may
> be replacing the header when you add the second header.
It may, but then there wouldn't be two headers and falls outside the scope of this discussion.
> 2. Browsers in widespread use take into account the last header.
Yes, Adam has made this clear; only IE differs.
> Thus, presending a header is not a method to protect the app.
Are you referring to current browser behavior? Or the proposed content-sniffing algorithm? If you're talking about current browser behavior, then it does work for IE.
>> Perhaps the better choice would be to toss out the multiple content-headers entirely and rely exclusively on content-sniffing. Without the content-header, Firefox 3 correctly shows the image, and Internet Explorer incorrectly delivers the payload -- but your draft, if adopted, should fix that problem, correct?
> How do you send as plain text html content (eg. samples of malicious
> Or simply send a html-howto in plain text.
The server should provide a single content-type header that specifies text/plain. In the context that there are two content-type headers, then the answer will depend on which browser you want to protect; IE, set the first header to text/plain; all the others, set the last header to text/plain.
And to be clear, if the content-sniffing draft decides to use the last header because it interoperates with the most sites, then I get that. I just don't want to see it using a less secure method just because that's what 4 out 5 browsers currently do.
More information about the whatwg